An additional point is that “relevant roles in government” should probably mean contracting work as well. So it’s possible to go work for Raytheon, get a security clearance, and do cybersecurity work for government (and that pays significantly better!)
I think working at a top security company could be a way to gain a lot of otherwise hard to get experience. Trail of bits, NCC Group, FireEye are a few that come to mind.
Our current best guess is that people who are interested should consider seeking security training in a top team in industry, such as by working on security at Google or another major tech company, or maybe in relevant roles in government (such as in the NSA or GCHQ). Some large security companies and government entities offer graduate training for people with a technical background. However, note that people we’ve discussed this with have had differing views on this topic.
This is a big area of uncertainty for me. I agree that Google & other top companies would be quite valuable, but I’m much less convinced that government work will be as good. At high levels of the NSA, CIA, military intelligence, etc. I expect it be, but for someone getting early experience, it’s less obvious. Government positions are probably going to be less flexible / more constrained in the types of problems to work on and have less quality mentorship opportunities at the lower levels. Startups can be good if they startups value security (Reserve was great for me because I got to actually be in charge of security for the whole company & learn how to get people to use good practices), but most startups do not value security, so I wouldn’t recommend working for a startup unless they showed strong signs of valuing security.
My guess is that the important factors are roughly:
Good technical mentorship—While I expect this to be better than average at the big tech companies, it isn’t guaranteed.
Experience responding to real threats (i.e., a company that has enough attack surface and active threats to get a good sense of what real attacks look like)
Red team experience, as there is no substitute for actually learning how to attack a system
Working with non-security & non-technical people to implement security controls. I think most of the opportunities described in this post will require this kind of experience. Some technical security roles in big companies do not require this, since there is enough specialization that vulnerability remediation can happen via other companies.
One potential area of biorisk + infosec work would be in improving the biotech industry’s ability to secure synthesis & lab automation technology from use in creating dangerous pathogens / organisms.
This could be done via circumventing existing controls (i.e. ordering a virus which is on a banned-sequence list), or by hijacking synthesis equipment itself. So protecting this type of infrastructure may be super important. I could see this being a more policy oriented role, but one that would require infosec skills.
I expect this work to be valuable if someone possessed both the political acumen to convince the relevant policy-makers / companies that it was worthwhile and the technical / organizational skill to put solid controls in place. I don’t expect this kind of work to be done by default unless something bad happens [i.e. a company is hacked and a dangerous organism is produced]. So having someone driving preventative measures before any disaster happens could be valuable.