Cybersec is a thankless job: expanding workload and shrinking pay packet

https://www.theregister.com/2026/04/27/from_a_massive_skills_gap/

29•rustoo•1h ago

Comments

lenerdenator•1h ago

"Show me the incentives, and I'll show you the outcomes." - Charlie Munger

Right now, if you have a security breach, at least in the US, you send out a letter telling the person that their data could be God-knows-where and offer them two free years of credit monitoring. Victims aren't going to really use that because it's essentially useless. If they've got absolutely, positively nothing better to do with their time, I guess you could file a lawsuit. Who knows what the outcome would be. Probably not in their favor.

In other words, it's cheaper for them to overwork the InfoSec guys/gals and barely care about what is happening outside of day-to-day operations, than it is to really secure their stuff. So they don't spend that money.

If you saw corporate valuation-cratering fines being implemented - the kind that would end the c-suite's careers and bring shame to their family lines for seven generations - I bet that they'd start catering lunches for the InfoSec team.

gadders•57m ago

New idea: AI tool to help generate legal letters to companies after they leak data to cause them maximum inconvenience.

lenerdenator•55m ago

You could also create an AI tool to help generate letters to lawmakers about how they need to make a real dent in this between reruns of Matlock in the retirement home.

intended•36m ago

The human speed legal system would become collateral damage.

jcgrillo•48m ago

I don't think fines are enough of an incentive. They're too easy to evade and insufficiently consequential to the people who are actually shipping code. Moreover, making them enormous (as you put it well "valuation-cratering") unfairly punishes people who are not directly responsible for the failure. Instead, like in other engineering disciplines, Engineers need to be personally liable for the consequences of failure. Not necessarily every engineer--not every mechanical engineer needs to be a P.E.--but someone directly responsible for the quality of the work needs to stake their reputation on it, and suffer the consequences when it fails.

adrianN•30m ago

In practice this would mean that you need to show conformance to some kind of security process. The actual outcome of that process is of secondary importance as long as you can show that you’re compliant. Very carefully written process documents _can_ improve things, but my confidence in security processes is low for companies without intrinsic motivation.

I think one can reasonably argue that sufficiently large fines that don’t have a „but we followed iso-xyz“ loophole could produce better outcomes. The difficult part is making the companies care about existential tail risks.

jcgrillo•27m ago

Yes, it'll generate a lot of super annoying paperwork. But, hopefully, it will also tighten up software engineering standards. It has worked well in other disciplines.

adrianN•22m ago

There already are areas where such standards exist, eg safety critical applications in aviation. Arguably the defect rate there _is_ lower, but I still think that this method for achieving this is quite inefficient. And I think that writing aviation software that doesn’t crash is a lot easier to define a process for than for writing software that is difficult to hack.

jcgrillo•18m ago

The missing piece is the requirement for a certified Professional Engineer to sign off on the system. That decouples the incentives from the corporate objectives, and makes it personal. We need that kind of professional accountability in software, otherwise it'll continue to be bad.

adrianN•15m ago

It is my understanding that personal responsibility already exists in safety critical software development.

TheRealDunkirk•7m ago

Companies are already following a bunch of standards like SOX, SOC2, HIPAA, etc., and documenting their adherence to checking all of the boxes, but incidents still happen every week.

mystraline•45m ago

Yep. I had a chance to go for a cybersecurity degree. And every time ive looked at that, the career path is basically an applied insurance job.

Cybersecurity does not make money. They do not raise the profit for a company. Instead, they are compliance, contractual, and legal defences to repel lawsuits and keep data boundaries clean.

And who's the first to go? Groups that dont make money. Like cybersec.

Distilling a Tiny Model for Fast Interpretability

Apple Weather App Down

Bounce Update: PDS Provider Migrations

Google DeepMind Paper Argues LLMs Will Never Be Conscious

Why So Many Mayors Are Quitting

BookStack Moves from GitHub to Codeberg

Ryzen Saved AMD from Bankruptcy – 10 Years of CPUs Tested [video]

How Semiconductors Were Made in America

Once I Understood Where AI Is Heading, I Stopped Being Anxious About It

Buying, Selling on eBay Disrupted Worldwide for more than 24 hours

Universal Transformers Need Memory: Depth-State Trade-Offs in Adaptive Recursive

Show HN: Art Coding Lab – Learn Creative Coding Through Micro Challenges

GraphCompose – declarative PDF layout engine for Java (MIT)

Show HN: I built a dating SIM that prepares you for your date

Study Finds a Third of New Websites Are AI-Generated

GB Electricity Bills

OpenAI Models, Codex, and Managed Agents Come to AWS

Show HN: PastePlop – yet another Mac clipboard manager

Warp is now Open-Source

Nvidia Nemotron 3 Nano Omni

Tridimensional Visualization of a Blackbird Song [video]

Ask HN: What do you check before launching a web app?

Show HN: How to become an Anti-founder, THE MANUAL

Biggest US airlines spent $1.2B more on fuel in Q1

Our Uncertain Uncertainties

You're the Bread in the AI Sandwich

The Download: Musk and Altman's legal showdown, and AI's profit problem

From GitHub to Codeberg/Forgejo

Doofioso (2006)

Remote Code Execution on Github with a single Git push