Tell HN: Information security audit / consulting is largely a scam industry
Shortly after starting in this line of work, it became clear that the services we sell are disingenuous. Here are some examples of why:
* My main argument: there is a HIGH likelihood that information security consulting is the first job out of college for the auditor leading you through the engagement. Beyond surface-level knowledge about multi-factor authentication being important and knowing that “Splunk is where the logs go,” your assessor is probably just nodding their head, asking canned questions from a spreadsheet, and not fully comprehending what you are telling them.
* We are told to describe ourselves as information security experts. I am not an expert. Every time I have to describe myself as the expert, I die a little inside. If I am the expert in the room yet still a recent college graduate, there is a glaring problem here.
* The middle manager of my department did not know the difference between a public and a private IP address when we reviewed DRL evidence together.
* The person leading your engagement may have a slight idea about what is going on, but they probably are tied to five other engagements and are not genuinely motivated to find problems because they are already underwater.
I can’t say that information security consulting is all bad. On several occasions, I have helped companies remove the clueless CEO from Domain Admins or explain why adding MFA to Cisco AnyConnect was a good idea for them. I should also mention that these types of positions are great for learning the inner workings of large companies that you might want to work at later on, how to passably write a report, and how to present information to executives.
Maybe I am preaching to the choir here. Interested to hear others' perspectives.
72 comments
[ 0.60 ms ] story [ 139 ms ] threadHowever, a good auditor should also make recommendations on how to improve controls without holding the threat of a qualified report over your head if you don't comply.
So while I agree that they do not have to be a domain expert to do the bare minimum, such audits that they can provide are not especially useful in the long run. I want the value add of recommendations from a domain expert. This, however, is not that common.
Worse are the guys that think they have a badge. Their position has gone to their heads, and they are a nightmare to work with. I hate having to school these guys that it is not their job to demand specific controls (in the case of SOC2 for example), but to compare the controls in place to the standard, and verify that they are indeed in place. Unfortunately, all these guys work for accounting firms, and their bosses are generally clueless, so the "cyber guy" runs rampant. Some auditors need an audit.
Even the links and categorization they used where strikingly similar to ZAP’s output.
Now, not everybody knows about ZAP and they might benefit from such assessments, it also happens that the higher ups tend to not trust their people and seeing a spreadsheet with a logo from a security company is comforting to them, but at any rate, I found no value at all whatsoever from the experience except from the commendation of the CEO about our good security practices since nothing major showed up on the audit (I had taken a cursory look at bed practices and used common sense like defaulting to distrust user input)
All I’m trying to say is, using a tool like ZAP (https://www.zaproxy.org/), which also happens to be an amazing tool for development too usually can take you very far with its automated testing, and if the higher ups still need a rubber stamp from a third party, well, that’s up to them…
The “methodology” was as comprehensive and revealing as a ping test. The doc contained a single screenshot, was riddled with both grammatical and technical errors about the environment they were supposed to be ‘penetrating’.
Made me wonder if I’m in the wrong segment of tech if this is what companies are throwing away for such shitty tests when I know I could do a better job.
This was a project that had millions of dollars in man hours and where many developers with a lot more experience than me had worked for years…
Bottom line, they had a monkey patch custom framework that wad just Django without documentation and with huge security holes…
I sometimes wonder if that industry exists because if suits don’t see a $30k to fix checking an user id, they couldn’t be bothered to have engineers do “useless” tickets to pen test their own systems
It is a borderline racket where everyone is insisting on this cert from everyone else they are doing business with at the enterprise level.
But quality of pentests do vary significantly depending on who you buy from.
Rubber stamps can be useful as an absolute minimum base line, because companies will lie through their teeth that their product is "secure", and at least with even a poor pentest you know you probably wont get easily hacked by a script kiddie, which may be a valuable assurance.
If you run something in-house and there is a security breach, it gets really uncomfortable, as you need to ask questions, assign blame, draw consequences. If $BIG_SAAS_PROVIDER gets their entire database leaked then well, it's not your fault, also if even $BIGCORP gets hacked it must have been really professional hackers and it can hardly be you made a bad call here. Nobody ever got fired for buying IBM.
Yes, it's pretty scammy. Yes, if you know what you're doing, you know what they'll find. And charge you for what you already know.
But it's a tool. As a principal/staff-level IC or as a low-level manager, you may run into problems convincing the higher-ups to address very real security concerns. So you may want to recommend such an audit. Because those newcomers are "experts" and their findings may sway upper management. Even if management pays you to be an expert, they're paying extra for new, extra expertise!
People right out of college with zero experience help Fortune 500 companies with strategy, mergers, acquisitions, process design, enterprise system implementation, auditing their financial statements, etc.
The world is run by young people with minimal experience. Their organization's procedures, checklists, on-the-job training, and occasional guidance by someone with more experience somehow make it work.
And remember that your clients are even less knowledgeable than you and your checklist.
In the land of the blind, the one-eyed person is a god.
And it certainly doesn’t mean security review is useless. You don’t even need to be particularly good to catch some of the worst things I’ve seen. Soc2 doesn’t necessarily mean you are secure but it does require the organization to do quite a few things that it’s a good idea to do. Periodic internal security review, having a password policy. There are few things in soc2 that are actually useless. Real security requires more than the compliance checklist, but the checklist isn’t a bad place to start.
Honestly deciding to care about security is a good place to start. Look at Colonial Pipeline. If they’d cared about security at all they could have hired a security engineer or even promoted a capable internal IT person to security engineer. That person could have even been wildly under qualified. Imagine going to work your first day as a security engineer, knowing you don’t know shit. What’s the first thing you do? Google security best practices. One of the top ten things is don’t share passwords. Another is don’t reuse passwords, another is rotate passwords when employees leave. (So write a password policy for the first two, but 1password, create a checklist Telford the third) Those three things would have prevented the thing that actually got them breached. The rest of the list of top ten would have prevented them getting ransomwared.
None of the bad security I’ve seen has been particularly hard to identify or fix. The problem has always been insufficient will to fix it.
I have yet to see an organization that implemented all of what I would call the easy stuff. I’d be thrilled to see it because it would mean we could dig into the truly hard stuff.
Which is very different from pen testing, internal/external vulnerability assessments, PCI level 1/2, etc.
SOC2'ing is often like an auditor verifying that one does things according to a prescribed, or described process that the company attests to. I've often viewed it as 'accounting style firms' looking to get a bite of that 'juicy security scare fee pie'
The security side is literally the only part of tech that is remotely “regulated”. Self-policing organizations created their own standards and private firms conduct the audits. Yet it’s obviously bullshit and box ticking.
Do you not realize this is how everything in society works? It’s endless make-work where highly credentialed know-nothings check boxes in order to fulfill some bureaucratic process they didn’t invent and don’t care / aren’t capable of improving.
This is the end result of bureaucracy.
More people and more powerful companies means more abuses of power, which we solve (or try to solve) with regulations. And deregulation is often a simple power grab by unscrupulous companies with the help of crony politicians.
These aren't universal truths, but I think it does start to explain why regulations expand more than they contract.
Contrast that with private business which is forced to adapt to change. They always strive to increase productivity by increasing value while decreasing costs. The exact opposite incentive exists in the government.
I do have a solution to this conundrum - I think we should give leaders a bonus that is a percentage of savings. For example, if an agency has $200 million budget, give the director 10% of all money saved every year. So if they successfully shrink their budget by $10 million, give them a $1 million bonus.
But as it exists today there is no amount of budget that can satisfy the needs of the state.
Wouldn't that just incentivize individuals to gut their agencies for personal profit? The day after a rule like that was put in place, the FDA would stop regulating every drug just so the director would get a $30m payout.
Also, with inflation (especially high as it is now), why would we ever expect an agency's budget to shrink a meaningful amount? Surely we would expect an 8% increase in every agency's budget just to maintain the status quo.
How much it suceedes is debatable but auditers being security experts is irrelavent to those goals.
Sometimes you pay for the resources, processes, and is intuitional knowledge put in place by a vendor rather than the warm body who is your point of contact.
I quit after a few years to go into software engineering. OP, your first career choice out of college really doesn’t have to stick if you don’t like it. I have strong opinions about the audit/consulting industry but otoh it wasn’t a complete loss: as OP said, the soft skills from that time have proved genuinely invaluable.
Nobody thinks most auditors are experts. I have met a few, but mostly their job is to perform very standardised assessments, to meet compliance requirements. Internal audit is no different in this respect.
Consulting, on the other hand, I agree is hugely oversold. I have experience of being invaded by a swarm of big-name consulting firm graduate "security experts".
They didn't do a bad job in the end. They gathered the requirements, listened to the staff, and recommended pretty much what we would have recommended. Someone somewhere with more experience must have reviewed it at some point I guess.
In this case, the senior management was really paying for the "big firm" seal of approval on a big spend, not for any earth shattering security insight.
if the company is doing a risky project, having a second opinion may be well worth the money.
Assessment teams have varying quality. Get the best results for your org you can out of them.
I did an assessment once where we were an add on to a third party platform. The assessor (from the third party platform) reports we are using a vulnerable javascript library! I said we're not even using that library, so he must've mixed us up with someone else.
Tons of back-and-forth emails. He eventually sends us a couple of screen shots from browser dev tools. It turns out the guy was talking about a library on their own platform. It took even more back and forth emailing, until we escalated and the problem was resolved.
Not using a library !== not vulnerable.
The company is happy to say "we did it, we're secure! Nothing to worry about!"
The consulting firm is happy to cash checks.
One clue that a company is more interested in pretend work than real work is they start hiring consultants. No offense to consultants intended by the way. Most of the economy is pretend work.
They say "war is young man's game" - think about the 10s of millions of young men (some as young as 14) that went to war in WWI, WWII, etc
A group of 17-19 year olds is commanded by someone who's only 20 or 21
That you have any security experience, checklists to follow, senior people to rely on (ie the majors and staff sergeants, to continue the analogy) means you're worlds ahead of most people you're going to come in contact with
In Outliers, Gladwell claimed/popularized you need 10000 dedicated practice hours to be an "expert"
But in practice you only need about 200h to be in the top 10th or 5th percentile (or even higher) [1][2] (related: [3] & [4])
And regardless of how "experienced" someone else is (even how much more "experienced" they are than you), they don't have your team behind you, nor the focus that you bring
-------------
[0] https://news.ycombinator.com/item?id=32041787
[1] https://danluu.com/p95-skill
[2] https://www.linkedin.com/pulse/what-takes-best-whatever-you-...
[3] https://www.fastcompany.com/3027564/scientists-debunk-the-my...
[4] https://www.flyingmag.com/what-makes-expert
I changed to infosec because of the money.
Cybersec pays well earlier than software engineering does, but you meet glass ceilings quite rapidly. Once you get really good at what you do, software engineering is where the real reward is.
Alternatively, if you don't mind focusing on a single product, becoming an expert in any commercial software that costs at least 1m$ to integrate in large companies will land you a high paying salary guaranteed with a tenth of the effort you'd need for software engineering or cybersecurity.
> Once you get really good at what you do, software engineering is where the real reward is
Do you mean any technological stack here.
> becoming an expert in any commercial software that costs at least 1m$ to integrate
Any particular examples here?
Thanks.