Friday, August 25, 2017

Is there really a lack of Cyber Professionals?

There are a lot of conflicting articles on whether or not we have a cyber skills drought or deluge currently. Some say HR teams are setting the bar too high even for entry level roles, some say we just don't have enough people with cyber skills, and yet others bemoan the salaries offered.

But which ever way you look at it, candidates are complaining about not being able to get jobs, and companies are having trouble hiring into roles. So there is a disconnect somewhere.

I have actually seen a dramatic improvement in the way the process seems to work (at least in the UK) for experienced hires over the last 6 or 7 years. With organisations like the Institute of Information Security Professionals providing skills frameworks, the majority of experienced individuals I know have reference benchmarks, a clearly defined skill set, awareness of salaries and packages, and a strong understanding of where they fit in security departments. But few have a solid alignment with risk, with conduct, with the business - so the wider knowledge and experience needed for a CISO is still in short supply.

At the mid-tier, I honestly think we are actually oversubscribed with a large number of skilled individuals available for hire. The problem here appears to be expectations. I see people with 5 years' experience asking for £80k and over, despite only having experience in penetration testing - a fairly narrow niche compared with what many companies are looking for. From the business perspective, that can rule these individuals out completely - which leads to HR looking at less experienced individuals for these roles and being disappointed in their capabilities.

At more junior grades I am starting to see universities producing graduates with not just technical expertise, but a more broadly applicable security skill set than previously, with luminaries such as Prof Bill Buchanan OBE leading the way in this respect - look at Zonefox as an incredibly successful company spun out from Napier University by Jamie Graves. 

But conversely, I'm still seeing companies having challenges hiring graduates. In looking into this, it is obvious that some of the problems are down to how HR teams are trying to build "cyber" graduates into their existing frameworks. Some want a CISSP for an entry level role, despite CISSP requiring 5 years experience... Some assume that the normal grad process will pick up cyber grads, despite the process not including universities with cyber degrees.

And I would like to see more graduates coming onto the market with a broader knowledge of the jobs available. They all seem to know about penetration testing, but few seem to be aware of roles in operational risk, security audit, secure architecture design, monitoring and logging, and those jobs that don't appear so much in the media. 

So can we do something about this? Of course we can, at many levels:

- Universities and industry need to continue to develop relationships for internships, development of course materials, industry days etc.
- We need to educate HR teams who may not fully understand the various aspects of Cyber.
- Individuals need to be realistic about their skill set - security is one part of a package, and if you don't have business and risk awareness you seriously reduce the opportunities that will be offered to you.
- Use frameworks such as the IISP one to define roles and skills against industry baselines.

Friday, October 09, 2015

New gaming PC build

My old PC was starting to get a wee bit clunky for games, so I needed to sort out a new box, but technology has moved on a lot in the last few years. I turned to the clever technical folks in the DMZ for assistance.

The spec I got back was rather nice:

EVGA X99-Classified motherboard
Intel i7-5930 6-core processor
EVGA GeForce GTX 980 Ti GPU
32Gb of RipJaw RAM (in shine red-chrome sticks)
256Gb M2 SSD
4 Tb spinny drives
Noctua NH-D14 cooling

All in an Antec 1200V3 case and a 1000W EVGA Power supply.

Having built a few hundred PC's in my time I commenced the build perfectly confident that I'd do it in an afternoon.


The case itself is rather easy to work on - lots of space, handy pop-outs etc, but it does have a couple of sharp edges. It didn't take me long to have the CPU, along with the Noctua, happily installed on the motherboard in the case, with RAM and GPU fitting in quite easily:

But at this point I opened up the SSD package and found it looked like this. Nothing like any SATA SSD I had used in the past:

So I hunted around for ages and couldn't figure out where it should go. Eventually I admitted defeat and went back to the DMZ - they diagnosed this as a dumb PEBCAK and advised me to remove the GPU. Lo and behold, I found a slot for the SSD:

Yep - it's that one that says M2. So, time to install that, pop the graphics card back in and connect up cables again:

Fan power - loads of these round the edge of the board make it very easy. Most are controllable on board, and the 3 front fans also have manual knobs so you can crank 'em up before a gaming session...

Cable routing is very straightforward in this case:

And the PSU has ample spare slots:

 Fan units on the front allow for simple removal or addition of drives, with space for 3 external drives at the top:

 Finally, after about 3 hours I had it all together, but nothing would boot. Interesting BIOS beep codes didn't really help me diagnose it. The usual tactic is to unplug everything and reinstall one device at a time, so my friends advised me to remove the GeForce and just use onboard graphics until I'd figured out the problem. Unfortunately, this board has no onboard graphics...


Anyway - after tearing my hair out a lot, I found that the M2 slot was not automatically detected, and I had to select Legacy for SATA to make it work. And the machine booted, so I hooked it up to an ASUS 28" 4K DisplayPort monitor and began to install Windows 7 Home Premium.

As it happens, I did need that hammer. The case comes with a side fan port, but the Noctua heatsink is so huge it wouldn't fit - so:

Shiny LED's in all the fans - grand:

Job done, right - ahh, well, no...

I did manage to install W7. In fact I installed it 4 times over the next couple of days, but it never worked fully . Most USB devices came up as unidentified, the monitors would only run at 1950x1080, I was having memory errors everywhere and it ran like a pig.

So I took it all to pieces again, and ordered Windows 10.

Some days later (after an aborted delivery attempt, refund and reorder because DHL couldn't find my house that day) I had Window 10 on a nice shiny USB stick.

And start again.

Windows 10 installed pretty easily - although as mentioned by everyone, you have to uncheck all the defaults if you want any semblance of privacy. There is some odd stuff in there.

Also picked up my dual monitor mount at the same time (Of course I'm going to have multiple 4K monitors - this card can handle 3 at once) and got a Razer Death Adder Chroma and Razer Black Widow Chroma; added all my external storage (no, it's not organised as a proper NAS yet - another project. Maybe next year) and started to configure the usual stuff: Plex server, Surround sound, network config etc

And once again - major USB challenges. I'm thinking something is just jinxed here, but first...I went back to the DMZ and described the install to the guys, and how I'd used the driver disks that came with the components.

That apparently was a mistake...

Don't use the EVGA driver disk with that GTx! Go to NVIDIA and download the proper drivers - that made all the difference. Similarly, I got a range of updated drivers which sorted most of the USB issues.

Ongoing niggles:

  • I can't let the monitors go to sleep - DisplayPort doesn't behave sensibly, so once they go to sleep, Windows decides on next wake that only one exists. So I need to make the PC sleep before the screens sleep.
  • I have 10 USB sockets on the back and 3 on the front of the case - but it doesn't seem to be possible to have more than 2 of the front ones working. Perhaps I can buy a USB card to sort that - but until then, I have USB hubs.
  • My WACOM tablet sort of works, but sometimes doesn't appear as a device

But aside from that, this machine rocks! I do like having a desktop 7680 pixels wide :-)

Sunday, September 06, 2015

Scottish Airshows 2015

After not blogging on here for a while (just doing the Security Stack Exchange Blog) seeing the last flying Vulcan (XK-558, the Spirit of Great Britain make her final flight in Scotland today inspired me to pop up some pics from the two air shows I went to in Scotland this Summer, the East Fortune Air Show in July and the Scottish Air Show in August.

From East Fortune:

And from The Scottish Air Show in Ayrshire: