I have hired security consultants a couple of times, and found that it was challenging, but within the normal limits of how challenging hiring always is. If you want someone to tell you the best practices for encrypting AWS servers, or even how to protect some unusual configuration of AWS services, my guess is that you can probably find someone (although maybe you will be paying them $200+/hour).
My assumption is that the challenge you are pointing to is more about finding people who can e.g. come up with novel cryptographic methods or translate game theoretic international relations results into security protocols, which seems different from (and substantially harder than) the work that most “information security” people do.
Is that accurate? The way you described this as a “seller’s market” etc. makes me unsure if you think it’s challenging to find even “normal”/junior info sec staff.
The key roles we have in mind are a bit closer to what is sometimes called “security officer,” i.e. someone who can think through (novel, GCR-focused) threat models, plausibly involving targeted state-based attacks, develop partly-custom system and software solutions that are a match to those threat models, think through and gather user feedback about tradeoffs between convenience and security of those solutions, develop and perhaps deliver appropriate training for those users, etc. Some of this might include things like “protect some unusual configuration of AWS services,” but I imagine that might also be something that the security officer is able to outsource. We’ve tried working with a few security consultants, and it hasn’t met our needs so far.
Projects like “develop novel cryptographic methods” might also be useful in some cases — see my bullet points on research (rather than implementation) applications of security expertise in the context of AI — but they aren’t the modal use-case we’re thinking of.
But also, we haven’t studied this potential career path to the level of depth that (e.g.) 80,000 Hours typically does when developing a career profile, so we have more uncertainty about many of the details here even than is typically represented in an 80,000 Hours career profile.
Thanks Claire and Luke for writing this!
I have hired security consultants a couple of times, and found that it was challenging, but within the normal limits of how challenging hiring always is. If you want someone to tell you the best practices for encrypting AWS servers, or even how to protect some unusual configuration of AWS services, my guess is that you can probably find someone (although maybe you will be paying them $200+/hour).
My assumption is that the challenge you are pointing to is more about finding people who can e.g. come up with novel cryptographic methods or translate game theoretic international relations results into security protocols, which seems different from (and substantially harder than) the work that most “information security” people do.
Is that accurate? The way you described this as a “seller’s market” etc. makes me unsure if you think it’s challenging to find even “normal”/junior info sec staff.
The key roles we have in mind are a bit closer to what is sometimes called “security officer,” i.e. someone who can think through (novel, GCR-focused) threat models, plausibly involving targeted state-based attacks, develop partly-custom system and software solutions that are a match to those threat models, think through and gather user feedback about tradeoffs between convenience and security of those solutions, develop and perhaps deliver appropriate training for those users, etc. Some of this might include things like “protect some unusual configuration of AWS services,” but I imagine that might also be something that the security officer is able to outsource. We’ve tried working with a few security consultants, and it hasn’t met our needs so far.
Projects like “develop novel cryptographic methods” might also be useful in some cases — see my bullet points on research (rather than implementation) applications of security expertise in the context of AI — but they aren’t the modal use-case we’re thinking of.
But also, we haven’t studied this potential career path to the level of depth that (e.g.) 80,000 Hours typically does when developing a career profile, so we have more uncertainty about many of the details here even than is typically represented in an 80,000 Hours career profile.