Ben Rothke asks if there's a shortage of information security professionals. I found his piece very interesting, as I've been puzzled by the crazy flow of security openings. In the provincial government, it must be something like 10 security openings for every development opening!
However, the impact in my context is quite different. The employer accepts even some of the poorest applicants, either because it's indeed unable to evaluate aptitudes, or because public sector rules force it. I've worked with a colleague clueless not just about IT in general, but even about security, who was paid more than I did, as a so-called "expert". Indeed, an incredible share of the Quebec government's security openings offer an expert bonus.
But the most important crisis is not in information security jobs. It's in the security of generalist IT workers. Employers just don't grasp how security works. People who don't know IT just think of it like they would think of residential security.
Want to prevent intrusions in your home? Install a stronger door and lock.
Want to prevent intrusions in your PC? Install a firewall.
Your home keeps being broken into anyway? Buy an alarm system.
Your PC keeps being broken into anyway? Buy an antivirus.
Similarly, most people think of IT security as a feature, rather than as a quality. A feature which can be added. Unfortunately, such IT security features tend to be heuristic and buggy/costly. It's more accurate to picture security as low insecurity than as a sum of measures. And insecurity is a sum of flaws. Real security comes when the entire information system is built with security in mind, by IT workers who all keep flaws in mind.
The problem is not so much that we don't have enough resources for security. It's mostly that we don't have them at the right place and time. Getting a 10 M € budget to overhaul security after a major breach will get you nowhere close to where an extra 2 M € over the project's life would have. When a system's architecture was rushed due to lack of resources, patching gets costly and nowhere as efficient as a rewrite, which would be too risky.
What we do need is developers and other IT workers all putting security first. Not just as an afterthought (at best). It's been called the security-first mindset, security-first culture, or developer-first security. But for security-first to happen, developers need the means first. As long as development is rushed and QA a lucky bonus, we will keep producing bugs of all kinds. Developers need to have the necessary knowledge and to feel responsible. And for this, their reputation needs to track their full record. As long as most IT workers will stay ignorant or careless about security, organizations will keep getting hit. If you want peace of mind, prepare for security early.