I have hired security consultants a couple of times, and found that it was challenging, but within the normal limits of how challenging hiring always is. If you want someone to tell you the best practices for encrypting AWS servers, or even how to protect some unusual configuration of AWS services, my guess is that you can probably find someone (although maybe you will be paying them $200+/âhour).
My assumption is that the challenge you are pointing to is more about finding people who can e.g. come up with novel cryptographic methods or translate game theoretic international relations results into security protocols, which seems different from (and substantially harder than) the work that most âinformation securityâ people do.
Is that accurate? The way you described this as a âsellerâs marketâ etc. makes me unsure if you think itâs challenging to find even ânormalâ/âjunior info sec staff.
The key roles we have in mind are a bit closer to what is sometimes called âsecurity officer,â i.e. someone who can think through (novel, GCR-focused) threat models, plausibly involving targeted state-based attacks, develop partly-custom system and software solutions that are a match to those threat models, think through and gather user feedback about tradeoffs between convenience and security of those solutions, develop and perhaps deliver appropriate training for those users, etc. Some of this might include things like âprotect some unusual configuration of AWS services,â but I imagine that might also be something that the security officer is able to outsource. Weâve tried working with a few security consultants, and it hasnât met our needs so far.
Projects like âdevelop novel cryptographic methodsâ might also be useful in some cases â see my bullet points on research (rather than implementation) applications of security expertise in the context of AI â but they arenât the modal use-case weâre thinking of.
But also, we havenât studied this potential career path to the level of depth that (e.g.) 80,000 Hours typically does when developing a career profile, so we have more uncertainty about many of the details here even than is typically represented in an 80,000 Hours career profile.
Thanks Claire and Luke for writing this!
I have hired security consultants a couple of times, and found that it was challenging, but within the normal limits of how challenging hiring always is. If you want someone to tell you the best practices for encrypting AWS servers, or even how to protect some unusual configuration of AWS services, my guess is that you can probably find someone (although maybe you will be paying them $200+/âhour).
My assumption is that the challenge you are pointing to is more about finding people who can e.g. come up with novel cryptographic methods or translate game theoretic international relations results into security protocols, which seems different from (and substantially harder than) the work that most âinformation securityâ people do.
Is that accurate? The way you described this as a âsellerâs marketâ etc. makes me unsure if you think itâs challenging to find even ânormalâ/âjunior info sec staff.
The key roles we have in mind are a bit closer to what is sometimes called âsecurity officer,â i.e. someone who can think through (novel, GCR-focused) threat models, plausibly involving targeted state-based attacks, develop partly-custom system and software solutions that are a match to those threat models, think through and gather user feedback about tradeoffs between convenience and security of those solutions, develop and perhaps deliver appropriate training for those users, etc. Some of this might include things like âprotect some unusual configuration of AWS services,â but I imagine that might also be something that the security officer is able to outsource. Weâve tried working with a few security consultants, and it hasnât met our needs so far.
Projects like âdevelop novel cryptographic methodsâ might also be useful in some cases â see my bullet points on research (rather than implementation) applications of security expertise in the context of AI â but they arenât the modal use-case weâre thinking of.
But also, we havenât studied this potential career path to the level of depth that (e.g.) 80,000 Hours typically does when developing a career profile, so we have more uncertainty about many of the details here even than is typically represented in an 80,000 Hours career profile.