Shortage of InfoSec pros noticed, but how many do we need?

This story caught my eye a few weeks ago and I sort of brushed it off as a standard story of how the US is doomed unless we keep up with the programs of other nations who apparently have people far better at penetrating systems than we ever will, and the only way to keep up is to pump tens of thousands of people through training. I tend to dismiss these stories because although they often have a grain of truth to them, there’s usually more going on than people understand.

Before I get into this, I want you to understand that I am not disagreeing with the need for more InfoSec pros and definitely the need for better training. We see the need for it all the time when we see breaches happening that should never have happened. Sure, there are going to be those that happen because someone found a serious 0-day and slipped in before anyone knew it was a problem. But most of the time, probably closer to 99% of the time, these things happen not because of a new attack but because the existing infrastructure wasn’t protected properly against current attacks. Continue reading “Shortage of InfoSec pros noticed, but how many do we need?”