Yeah I misspoke, that is the total cost of breaches not the net profit. I’m going to pin your comment so that others can see my mistake. I doing want to mislead people
@@ichibot-app The salaries of all people involved in "defending" plus and approximation of the money not being made by the businesses. It is not 10 trillion in a bank account
The demand must come from consumers. Right now, every software VP is telling his devs, "We need these 19 new features and they need to ship last week." And the devs say, "But what about security?" And the VP doesn't care because nobody is willing to pay for that.
Good summary, adding my rant as a different perspective you may want to consider: Education is good and all, but human error covers more than just social engineering (such as phishing). Misconfigurations and cumbersome or complicated processes are large contributors to why the human element is such an issue; it is not exclusively that a small minority of people don't care. On top of training we need to make it easier to do the right thing and harder to do the wrong thing. Change control to minimise misconfigurations, secure-by-default/design technology for day-to-day business, and making security controls transparent to the point where personnel are unaware of how many security layers they are going through. Examples are password policies to direct users towards stronger passwords; default access control configurations to stop users creating company-wide Sharepoint sites with sensitive information; data-leak prevention to stop users from moving sensitive documents outside of the orginisation; for cloud, pre-configured hardened images, centrally managed WAF/VPC/Security Groups - you get the point.
Cybersecurity is an economics (incentives) problem, not a technical or technological problem. IoT can be done securely. Cloud can be done securely. We know how to do security. Consumers don't value security. Normal people cannot see the value in security, especially not against the value of some shiny doohickey or dumb stunt. Security has a PR problem.
I think maybe there just needs to me better pay for entry level jobs and even more for senior ones, that would discourage the financial aspect of wanting to pursue cybercrime activities, but it’s probably much. More complex than that…
Thank you for the kind words! I'm hoping to raise awareness of these issues in an easy to understand manner that is interesting for both novices and experienced professionals. I appreciate you stopping by and for your feedback
Everyone is addressing it. I don't know about US, but european countries focus on prevention, workplaces give employees secondary phones with 2FA already set up, VPN's set up, rules explained, and you are informed of your role in cybersecurity. We even receive fake phishing emails so that the cybersecurity company that works with our company can see if we fall for it, if we need additional training.
Entry level security jobs pay too well there’s no incentive for a SOC Analyst 1 to become a Network Security Architect if they aren’t obsessively passionate about security. My company has too many SOC Analyst III but Senior, Engineer and Architect roles stay open for months on end because the analysts don’t want to do training. They’re comfortable.
Based on your experience, could you critique my current plan. I'm currently going to wgu for cyber. I've been practing fundamentals and doing labs. While going to school I am getting my az-900 and aws. Should take me a year. Would you recommend this path for a role like cloud support or soc1? Thank you
Well, this is the problem with money. People don't want to invest into cybersecurity and clean code. We have intentionally made complex systems where memory leaks are all over the place and it's a real playground for people who are looking for them.
Thanks Pat, you earned a new subscriber. I'm currently in an AS program for cyber security. Opinions like yours are helping me tighten my focus to an applicable discipline. Also encouraging me to participate in the NCL this season, so thanks!
@@cheyssentaylor Can you state what you said any clearer? I don't understand what you're getting at. Open source means anyone can view it and it can be forked into another repository. If your code is not seen then more people will not try to break it/hack it, hence it's less secure.
16:00 I'm getting into cyber sec and my plan in to pass the basics that I need to show I can pass a test, then to plot out making a network, test it till I think it's ready and make it a honey pot to actively let it be attacked, or maybe make a CTF for a really bored red team to go for it, with consent. How ever yes, you wont be hired if you just pass some tests because they made it vary clear, you understand it and the best way to show it, is to make a network and defend it. Sadly that's what I see as the bare minimum, due to most places not wanting to train people, so you have to do it yourself. Which is not easy, to be honest.
Yes I'm aware setting up a net work and fire wall and defending it is vary different then having to deal with unprotected networks. How ever that's why no trust is a thing that is tossed at me so much in the stuff I'm working on test wise. To put up so many internal gates, the damage done will hopefully be limited.
Reminds me of my job hunting strategy. I make some automation involving the tech in the job listing, then I give a live demo of that automation in the job interview. Makes you stand out and more memorable.
"$10 trillion" - do you realise that's 10% of all transactions that occur in the entire world?
Yeah I misspoke, that is the total cost of breaches not the net profit. I’m going to pin your comment so that others can see my mistake. I doing want to mislead people
@@CybersecPat ok even so, how is the cost 10% of global GDP?
@@ichibot-app The salaries of all people involved in "defending" plus and approximation of the money not being made by the businesses. It is not 10 trillion in a bank account
@@ichibot-app just shut it already!
The demand must come from consumers. Right now, every software VP is telling his devs, "We need these 19 new features and they need to ship last week." And the devs say, "But what about security?" And the VP doesn't care because nobody is willing to pay for that.
Thanks for listening to me rant for 20 minutes, you're a real one.
Thanks to x1.25-x1.5 speed 😅
Ey man. This shift ain't gonna go any faster.
The issue is MONEY or greed.
pretty much everything going to the cloud makes it a bigger and easier target
Good summary, adding my rant as a different perspective you may want to consider: Education is good and all, but human error covers more than just social engineering (such as phishing). Misconfigurations and cumbersome or complicated processes are large contributors to why the human element is such an issue; it is not exclusively that a small minority of people don't care. On top of training we need to make it easier to do the right thing and harder to do the wrong thing. Change control to minimise misconfigurations, secure-by-default/design technology for day-to-day business, and making security controls transparent to the point where personnel are unaware of how many security layers they are going through. Examples are password policies to direct users towards stronger passwords; default access control configurations to stop users creating company-wide Sharepoint sites with sensitive information; data-leak prevention to stop users from moving sensitive documents outside of the orginisation; for cloud, pre-configured hardened images, centrally managed WAF/VPC/Security Groups - you get the point.
You said it better than I! Appreciate you sharing your thoughts.
Cybersecurity is an economics (incentives) problem, not a technical or technological problem. IoT can be done securely. Cloud can be done securely. We know how to do security. Consumers don't value security. Normal people cannot see the value in security, especially not against the value of some shiny doohickey or dumb stunt. Security has a PR problem.
damn right on target
people have no idea what they should worry about, most have no tech literacy.. companies MUST have
I think maybe there just needs to me better pay for entry level jobs and even more for senior ones, that would discourage the financial aspect of wanting to pursue cybercrime activities, but it’s probably much. More complex than that…
Great subject that no one is addressing.
Thank you for the kind words! I'm hoping to raise awareness of these issues in an easy to understand manner that is interesting for both novices and experienced professionals. I appreciate you stopping by and for your feedback
Everyone is addressing it. I don't know about US, but european countries focus on prevention, workplaces give employees secondary phones with 2FA already set up, VPN's set up, rules explained, and you are informed of your role in cybersecurity. We even receive fake phishing emails so that the cybersecurity company that works with our company can see if we fall for it, if we need additional training.
I was just about to comment this. Really great topic.
Simply: Hoomon dum dum.
Complex: It's complicated. Watch the video above for basics.
Entry level security jobs pay too well there’s no incentive for a SOC Analyst 1 to become a Network Security Architect if they aren’t obsessively passionate about security.
My company has too many SOC Analyst III but Senior, Engineer and Architect roles stay open for months on end because the analysts don’t want to do training. They’re comfortable.
Based on your experience, could you critique my current plan. I'm currently going to wgu for cyber. I've been practing fundamentals and doing labs. While going to school I am getting my az-900 and aws. Should take me a year. Would you recommend this path for a role like cloud support or soc1?
Thank you
I think that is a solid plan! If you can land a SOC position that'd be best
You are awesome with your explanation 👍❤🎉
Well, this is the problem with money. People don't want to invest into cybersecurity and clean code. We have intentionally made complex systems where memory leaks are all over the place and it's a real playground for people who are looking for them.
Thanks Pat, you earned a new subscriber. I'm currently in an AS program for cyber security. Opinions like yours are helping me tighten my focus to an applicable discipline. Also encouraging me to participate in the NCL this season, so thanks!
Thanks so much! Best of luck with your journey, I’m sure you’re going to absolutely slay!
Nobody looks at the open source policy problem. You can leave the entire code laying around on the internet for everyone & anyone to mess with
that's honestly a problem that security personnel look at open source as unproblematic.. geez
Security by obscurity isn't working either and there's no middle ground at the moment
If your codebase relies on not being seen for security, it's not secure.
@@johndoe1274 but doesn't these licenses force developers to release their full code of every version any software ?
@@cheyssentaylor Can you state what you said any clearer? I don't understand what you're getting at.
Open source means anyone can view it and it can be forked into another repository. If your code is not seen then more people will not try to break it/hack it, hence it's less secure.
Really like your take on the problems. It really is true that it can be hard getting into cyber security.
It is harder than it should be. I think we’ve got many talented people who’d love to get into it, but there just aren’t enough entry level positions.
Good video. Interesting. Thanks for making it
Yes, that's exactly it, you nailed it, mate👍
Thanks so much!
U gained a fallower my freind keep up the good work
Thanks! I hope to make more videos you enjoy in the future :D
Sounds like job security 😊
Yeah
16:00 I'm getting into cyber sec and my plan in to pass the basics that I need to show I can pass a test, then to plot out making a network, test it till I think it's ready and make it a honey pot to actively let it be attacked, or maybe make a CTF for a really bored red team to go for it, with consent.
How ever yes, you wont be hired if you just pass some tests because they made it vary clear, you understand it and the best way to show it, is to make a network and defend it. Sadly that's what I see as the bare minimum, due to most places not wanting to train people, so you have to do it yourself. Which is not easy, to be honest.
Yes I'm aware setting up a net work and fire wall and defending it is vary different then having to deal with unprotected networks. How ever that's why no trust is a thing that is tossed at me so much in the stuff I'm working on test wise. To put up so many internal gates, the damage done will hopefully be limited.
Reminds me of my job hunting strategy. I make some automation involving the tech in the job listing, then I give a live demo of that automation in the job interview. Makes you stand out and more memorable.