Also, I hypothesise EA needs more “head of security” people who can do everything from “explain to the CEO that the cost of stealing all of our intellectual property right now is around $100k” to “decide on useful policies and help the employees not be too annoyed by them”, including “here are tradeoffs we can chose to make, and here are clever ways we can get extra security at very low cost”. Another non trivial task is “hire people who actually understand security”.
Do you have opinions on whether I’m right here?
If so, it might be worth thinking about how to get more such people. Seems hard
I think you’re right here. It tends to be senior people who have that capability, and there’s not enough of them in the industry. What makes this especially hard for us is that EAs tend to be younger and early to mid-career.
The section “How to enter infosecurity” has one section which discusses how to enter the field with a university degree. But it also notes: “However, you shouldn’t think of this as a prerequisite — there are many successful security practitioners without a formal degree.” The following section discusses how to enter the field without formal training.
Whether any given individual should pursue a degree depends on a bunch of individual factors.
Your suggestion that EA orgs should have a “head of security” of some sort sounds plausible in many cases. But a lot will depend on the size of the organisation, its specific security needs, what other duties this person would be responsible for, etc., so it’s hard to be generally prescriptive. As the review lays out, there’s likely to be an ongoing security needs for many impactful orgs for the foreseeable future, and expertise in this domain will be needed at a variety of levels.
Also, I hypothesise EA needs more “head of security” people who can do everything from “explain to the CEO that the cost of stealing all of our intellectual property right now is around $100k” to “decide on useful policies and help the employees not be too annoyed by them”, including “here are tradeoffs we can chose to make, and here are clever ways we can get extra security at very low cost”. Another non trivial task is “hire people who actually understand security”.
Do you have opinions on whether I’m right here?
If so, it might be worth thinking about how to get more such people. Seems hard
I think you’re right here. It tends to be senior people who have that capability, and there’s not enough of them in the industry. What makes this especially hard for us is that EAs tend to be younger and early to mid-career.
Thanks Yonatan! I was the editor of this review.
The section “How to enter infosecurity” has one section which discusses how to enter the field with a university degree. But it also notes: “However, you shouldn’t think of this as a prerequisite — there are many successful security practitioners without a formal degree.” The following section discusses how to enter the field without formal training.
Whether any given individual should pursue a degree depends on a bunch of individual factors.
Your suggestion that EA orgs should have a “head of security” of some sort sounds plausible in many cases. But a lot will depend on the size of the organisation, its specific security needs, what other duties this person would be responsible for, etc., so it’s hard to be generally prescriptive. As the review lays out, there’s likely to be an ongoing security needs for many impactful orgs for the foreseeable future, and expertise in this domain will be needed at a variety of levels.