Comment by the_arun
Comment by the_arun 13 hours ago
Also decline in Security engineer by 0.35% doesn't make sense by conventional wisdom. Shouldn't it be increasing due to increased demand for security in all ai integrations?
Comment by the_arun 13 hours ago
Also decline in Security engineer by 0.35% doesn't make sense by conventional wisdom. Shouldn't it be increasing due to increased demand for security in all ai integrations?
Security products and practitioners are the classic snake oil salesmen. They are actually sales and marketing roles for help closing deals by emphasizing some security aspect. True security comes from general IT practices followed by engineers themselves.
I would be wary of making categorical claims like this, but it's unfortunately true that "security" field hasn't been doing well in a long, long time now.
Half the field is B2B "magic bullet" solutions like CrowdStrike and all the associated sales tactics - with pitches that boil down to "you give us money, we make your security issues go away". Half of what remains is mandatory certifications and other flavors of checklist-obsessed cargo cultists - often CYA-driven, often demanding the adoption of the fancy acronym of the day, regardless of the real threat profiles. Then you get the "security snake oil" - "magic bullet" systems that don't work, never did and never will, but are supported by the right influence groups and get the right pockets lined, and so are used anyway. DRM systems like WideVine and PlayReady being the prime examples. Then there are the corporate "security of our business model" shills - who pay lip service to "security", but have the true aims of "prevent anyone we don't like from doing anything that can harm our revenue streams" - with Apple being a common example.
And about a fifth of the field is people who do actual security work, and keep the sky from falling.
I agree with you totally, although I'd venture to guess 20% is way too high. I'd say you have about 10% people doing security work, 15% doing compliance, and the rest are consuming oxygen.
It's a growth field, so you have lots of idiots getting certifications and stupid jobs. Reminds me of the 90s when I started, and companies were paying MCSE's (ie read a book, hit next-next-finish in Windows NT) more than software engineers in some markets.
> True security comes from general IT practices followed by engineers themselves
Sounds exactly like something the average security practitioner would say...
`not_sure_if.jpg`
> True security comes from general IT practices followed by engineers themselves.
I have yet to meet an org whose engineers care about security, or who would not compromise security if secure practices got in the way of shipping a product or feature.
I'm a bit amazed you consistently get downvoted while you seem to speak the truth. So much gray in your comments.
I consistently see this commenter making a single comment, of questionable relevance, expressing a strong opinion which isn't particularly thoughtful or interesting or true. Then they ignore the pushback and move on to the next thread, where they post another tangential hot take. I'm not at all surprised at the result. Those comments attract a lot of downvote because they aren't very good.
This thread is a microcosm of that. They went on a tangent from a tangent to express how little they think of their colleagues working in security. It wasn't out of curiosity, it didn't raise interesting questions or provoke interesting debate. They didn't defend or substantiate their opinion so that they and we could learn something from it. It was just a drive-by flamebait to stir the pot and express derision. It should be downvoted; it's a bad comment.
Perhaps that pattern is difficult to see when their hot takes align with your own takes.
People are sleeping on AI in sec, lots of lazy sec engs and architects going to be SoL sooner rather than later.
Most companies don’t care about security beyond window dressing and getting whatever certification required to close deals.
Time for budget cuts? Cut the Security team!
From what I can see, being closer than the average engineer to the space (but not an expert on my own), a few things are happening:
* Engineers are being pushed for ownership of security more directly. You still need someone on the team to guide and support them, but they're not going to be directly involved all of the time.
* Significant amounts of automation and centralized security. Supply chain management is a double edge sword. It does open up vulnerabilities, but you can simply pay one of the SaaS companies in the space to help with a lot of the heavy lifting.
* Commoditization/Platform-ification drastically reduces attack vectors.
OWASP has a nice comparison from over the years: https://github.com/OWASP/Top10/blob/master/2021-2003_Compari...
I think it's because companies are moving away from in-house security and hiring 3rd party companies for security work. It also depends on the time of year this was taken. Q4 is the busiest time for security. Q1 is the slowest.
I'm a security consultant and work with multiple companies that provide security services. Work has increased massively in the last year.
Bold of you to assume there is any demand for security in AI integrations. It's like 90s web browsers, everyone's running random MCP servers that do god knows what.
Seems like when the security market is low on the white hat side, it's high on the black hat one. Security people just need to learn to adapt.
I'm sure some of these ransomware groups probably offer health insurance and 401k matching.
I wouldn't be surprised by a drop in security postings. Quite a few companies view security as an "overhead" so the siren call of reducing that overhead by introducing AI is a thing.
Also for a lot of jobs in security it's pretty hard to measure how well it's being done, so if the AI based solutions are worse, that might not show up for a while