80,000 Hours career review: Information security in high-impact areas
By 80000_Hours, Cody_Fenwick @ 2023-01-16T12:45 (+56)
This is a linkpost to https://80000hours.org/career-reviews/information-security/
This is a cross-post of a career review from the 80,000 Hours website written by Jarrah Bloomfield. See the original here.
Introduction
As the 2016 US presidential campaign was entering a fractious round of primaries, Hillary Clinton’s campaign chair, John Podesta, opened a disturbing email.[1] The March 19 message warned that his Gmail password had been compromised and that he urgently needed to change it.
The email was a lie. It wasn’t trying to help him protect his account — it was a phishing attack trying to gain illicit access.
Podesta was suspicious, but the campaign’s IT team erroneously wrote the email was “legitimate” and told him to change his password. The IT team provided a safe link for Podesta to use, but it seems he or one of his staffers instead clicked the link in the forged email. That link was used by Russian intelligence hackers known as “Fancy Bear,” and they used their access to leak private campaign emails for public consumption in the final weeks of the 2016 race, embarrassing the Clinton team.
While there are plausibly many critical factors in any close election, it’s possible that the controversy around the leaked emails played a non-trivial role in Clinton’s subsequent loss to Donald Trump. This would mean the failure of the campaign’s security team to prevent the hack — which might have come down to a mere typo[2] — was extraordinarily consequential.
These events vividly illustrate how careers in infosecurity at key organisations have the potential for outsized impact. Ideally, security professionals can develop robust practices that reduce the likelihood that a single slip-up will result in a significant breach. But this key component for the continued and unimpaired functioning of important organisations is often neglected.
And the need for such protection stretches far beyond hackers trying to cause chaos in an election season. Information security is vital to safeguard all kinds of critical organisations such as those storing extremely sensitive data about biological threats, nuclear weapons, or advanced artificial intelligence, that might be targeted by criminal hackers or aggressive nation states. Such attacks, if successful, could contribute to dangerous competitive dynamics (such as arms races) or directly lead to catastrophe.
Some infosecurity roles involve managing and coordinating organisational policy, working on technical aspects of security, or a combination of both. We believe many such roles have thus far been underrated among those interested in effective altruism and reducing global catastrophic risks, and we’d be excited to see more altruistically motivated candidates move into this field.
In a nutshell
Organisations with influence, financial power, and advanced technology are targeted by actors seeking to steal or abuse these assets. A career in information security is a promising avenue to support high-impact organisations by protecting against these attacks, which have the potential to disrupt an organisation’s mission or even increase existential risk.
- Jeffrey Ladish contributed to this career review. We also thank Wim van der Schoot for his helpful comments.
Why might information security be a high-impact career?
Information security protects against events that hamper an organisation’s ability to fulfil its mission, such as attackers gaining access to confidential information. Information security specialists play a vital role in supporting the mission of organisations, similar to roles in operations.
So if you want an impactful career, expertise in information security could enable you to make a significant positive difference in the world by helping important organisations and institutions be secure and successful.
Compared to other roles in technology, an information security career can be a safe option because there may be less risk you could have a negative impact. In general, preventing attacks makes the world a safer place, even if it’s not clear whether potential victim organisations are providing net positive impact themselves. When a company is hacked, the harm can disproportionately fall on others — such as people who trusted the company with their private information.
On the other hand, information security roles can sometimes have limited impact even when supporting high-impact areas, if the organisation does not genuinely value security. Many organisations have security functions primarily so that they can comply with regulations and compliance standards for doing business. These security standards have an important role, but when they are applied without care for achieving real security outcomes, it often leads to security theatre. It is not uncommon for security professionals to realise that they are having minimal impact on the security posture of their organisation.
Protecting organisations working on the world’s most pressing problems
Organisations working on pressing problems need cybersecurity expertise to protect their computer systems, financial resources, and confidential information from attack. In some ways, these challenges are similar to those faced by any other organisation; however, organisations working on major global problems are sometimes special targets for attacks.
These organisations — such as those trying to monitor dangerous pathogens or coordinate to reduce global tensions — often work with international institutions, local political authorities, and governments. They may be targeted by state-sponsored attacks from countries with relevant geopolitical interests, either to steal information or to gain access to other high-value targets.
Some high-impact organisations have confidential, sensitive discussions as part of their work, where a leak of information through a security compromise would damage trust and their ability to fulfil their mission. This is especially relevant when operating in countries with information control and censorship regimes.
In extreme cases, some organisations need help protecting information that could be harmful for the world if it was known more widely, such as harmful genetic sequences or powerful AI technology.
In addition to threats from state-sponsored attackers, cybercrime groups also raise serious risks.
They seek financial gain through extortion and fraud — for example, by changing payment information, ransoming data, or threatening to leak confidential correspondence. Any organisation is vulnerable to these attacks. But organisations that handle particularly sensitive information or large value financial transactions, such as philanthropic grantmaking funds, are especially likely targets.
What does working in high-impact information security roles actually look like?
“Defensive” cybersecurity roles — where the main job is to defend against attacks by outsiders — are most commonly in demand, especially in smaller nonprofit organisations and altruistically minded startups that don’t have the resources to hire more than a single security specialist.
In some of these roles, you’ll find yourself doing a mix of hands-on technical work and communicating security risk. For example:
- You will apply an understanding of how hackers work and how to stop them.
- You will set up security systems, review IT configurations, and provide advice to the team about how to do their work securely.
- You will test for bugs and vulnerabilities and design systems and policies that are robust to a range of possible attacks.
Having security knowledge across a wide range of organisational IT topics will help you be most useful, such as laptop security, cloud administration, application security, and IT accounts (often called “identity and access management”).
You can have an outsized impact relative to another potential hire by working for a high-impact organisation where you understand their cause area. This is because information security can be challenging for organisations that are focussed on social impact, as industry standard cybersecurity advice is built to support profit motives and regulatory frameworks. Tailoring cybersecurity to how an organisation is trying to achieve its mission — and to prevent the harmful events the organisation cares most about — could greatly increase your effectiveness.
If you’re interested in reducing existential risks, we think you should consider joining an organisation working in relevant areas such artificial intelligence or biorisk.
An important part of this is bringing your team along for the journey. To do security well, you will regularly be asking people to change the way they work (likely adding hurdles!), so being an effective communicator can be as important as understanding the technical details. Helping everyone understand why certain security measures matter and how you’re balancing the costs and benefits is required for the team to accept additional effort or seemingly unnecessary steps.
Ethical hacking roles, in which you’re tasked with breaking the defences of your clients or employers in order to ultimately improve them, are also important for cybersecurity — but only very large organisations have positions for these sorts of “offensive” (or “red teaming”) roles. More often, such roles are at cybersecurity services companies, which are paid to do short-term penetration testing exercises for clients.
If you take such a role, it would be hard to focus on the security of impactful organisations in order to maximise your impact, because you often have little choice about which clients you’re supporting. But you could potentially build career capital in these kinds of positions before moving on to more impactful jobs.
What kind of salaries do cybersecurity professionals earn?
Professionals in information security roles such as cybersecurity earn high salaries. The US Bureau of Labor Statistics reported that the median salary for information security analysts was over $100,000 a year in 2021.
While you’ll likely have a bigger impact supporting an organisation directly if the organisation is doing particularly important work, earning to give can still be a high-impact option, especially when you focus on donating to the most effective projects that could use the extra funds.
How to assess your fit in advance?
A great way to gauge your fit for information security is to try it out. There are many free online resources that will give you hands-on experience with technical aspects of security. You can get a basic introduction through the SANS Cyber Aces course.
Some other ideas to get you started:
- Try out ethical hacking to understand how hacks work and gain an intuition for security loopholes. Find a tutorial on basic attacks (e.g. OverTheWire, HackTheBox, or a course (e.g. Coursera’s Ethical Hacking Essentials). Read up on high-profile vulnerabilities, and see if there are any guides on setting up a lab environment and exploiting them (e.g. Log4Shell). If you’re studying at a university, it may be easy to join a Capture the Flag (CTF) team.
- Play around with security tools. Wireshark will inspect the surprising variety of network traffic on your computer, and Burp Suite Community can go deeper into web requests. Scan your home network for vulnerabilities with Nessus Essentials.
- Set up your own infrastructure. Host a virtual machine. Build a web server and secure it. Try installing Elastic Stack and Zeek. Get the AWS Free Tier and poke around the cloud administrator settings.
Having a knack for figuring out how computer systems work, or enjoying deploying a security mindset are predictors that you might be a good fit — but they are not required to get started in information security.
How to enter infosecurity
Entering with a degree
The traditional way to enter this field is to study an IT discipline — such as computer science, software engineering, computer engineering, or a related field — in a university that has a good range of cybersecurity courses. However, you shouldn’t think of this as a prerequisite — there are many successful security practitioners without a formal degree. A degree often makes it easier to get entry-level jobs though, because many organisations still require it.
Aside from cybersecurity-labelled courses, a good grasp of the fundamentals of computer systems is useful. This includes topics on computer networks, operating systems, and the basics of how computer hardware works. We suggest you consider at least one course in machine learning — while it’s difficult to predict technology changes, it’s plausible that AI technologies will dramatically change the security landscape.
Consider finding a part-time job in an IT area while studying (see the next section), or doing an internship. This doesn’t need to be in an information security capacity; it can just be a role where you get to see first-hand how IT works. What you learn in university and what happens in practice are different, and understanding how IT is applied in the real world is vital.
In the final year of your degree, look for entry-level cybersecurity positions — or other IT positions, if you need to.
We think that jobs in cybersecurity defensive roles are ideal for gaining the broad range of skills that are most likely to be relevant to high-impact organisations. These have role titles such as Security Analyst, Security Operations, IT Security Officer, Security Engineer, or even Application Security Engineer. “Offensive” roles such as penetration testing can also provide valuable experience, but you may not get as broad an overview across all of the fronts relevant to enterprise security, or experience the challenges with implementation first-hand.
Entering with (just) IT experience
It is also possible to enter this field without a degree.
If you have a good working knowledge of IT or coding skills, a common path is to start in a junior role in internal IT support (or similar service desk or help desk positions) or software role. Many people working in cybersecurity today transitioned from other roles in IT. This can work well if you are especially interested in computers and are motivated to tinker with computer systems in your own time.
A lot of what that you’ll learn in an organisational IT role will be useful for cybersecurity roles. Solid IT management requires day-to-day security, and understanding how the systems work and the challenges caused by security features is important if you’re going to be effective in cybersecurity.
Do you need certifications?
There are many cybersecurity certifications you can get. They aren’t mandatory, but having one may help you get into an entry-level job, especially if you don’t have a degree. The usefulness varies depending on how reputable the provider is, and the training and exams may be expensive.
Some well-regarded certifications are CompTIA Security+, GIAC Security Essentials, OSCP Penetration Testing, and Certified Ethical Hacker. Vendor and technology certifications (e.g. Microsoft or AWS) generally aren’t valuable unless they’re specific to a job you’re pursuing.
What sorts of places should you work?
For your first few years, we recommend prioritising finding a role that will grow your knowledge and capability quickly. Some high-impact organisations are quite small, so they may not be well-placed to train you up early in your career, because they’ll likely have less capacity for mentorship in a range of technical areas.
Find a job where you can learn good IT or cybersecurity management from others.
The best places to work will already have relatively good security management practices and organisational maturity, so you can see what things are supposed to look like. You may also get a sense of the barriers that prevent organisations from having ideal security practices. Being able to ask questions from seasoned professionals and figure out what is actually feasible helps you learn more quickly than running up against all of the roadblocks yourself.
Tech companies and financial organisations have a stronger reputation for cybersecurity. Security specialist organisations — such as in consulting, managed security providers, or security software companies — can also be great places to learn. Government organisations specialising in cybersecurity can provide valuable experience that is hard to get outside of specific roles.
Once you’re skilled up, the main thing to look for is a place that is doing important work. This might be a government agency, a nonprofit, or even a for-profit. We list some high-impact organisations here. Information security is a support function needed by all organisations to different degrees. How positive your impact is will depend a lot on whether you’re protecting an organisation that does important and pressing work. Below we discuss specific areas where we think additional people could do the most impactful work.
Safeguarding information hazards
Protecting information that could be damaging for the world if it was stolen may be especially impactful and could help decrease existential risk.
Some information could increase the risk that humanity becomes extinct if it were leaked. Organisations focussed on reducing this risk may need to create or use this information as part of their work, so working on their security means you can have a directly positive impact. Examples include:
- AI research labs, which may discover technologies that could harm humanity in the wrong hands.
- Biorisk researchers who work on sensitive materials, such as harmful genetic sequences that could be used to engineer pandemics.
- Research and grantmaking foundations that have access to sensitive information on the strategies and results of existential risk reduction organisations.
Contributing to safe AI
Security skills are relevant for preventing an AI-related catastrophe. Security professionals can bring a security mindset and technical skills that can mitigate the risk of an advanced AI leading to disaster.
If advanced AI ends up radically transforming the global economy, as some believe it might, the security landscape and nature of threats discussed in this article could change in unexpected ways. Understanding the cutting-edge uses of AI by both malicious hackers and infosecurity professionals could allow you to have a large impact by helping ensure the world is protected from major catastrophic threats.
Working in governments
Governments also hold information that could negatively impact geopolitical stability if stolen, such as weapons technology and diplomatic secrets. But it may be more difficult to have a positive impact through this path working in government, as established bureaucracies are often resistant to change, and this resistance may prevent you from having impact.
That said, the scale of government also means that if you are able to make a positive change in impactful areas, it has the potential for far-reaching effects.
People working in this area should regularly reassess whether their work is, or is on a good path to, making a meaningful difference. There may be better opportunities inside or outside government.
You may have a positive impact by working in cybersecurity for your country’s national security agencies, either as a direct employee or as a government contractor. In addition, these roles may give you the experience and professional contacts needed to work effectively in national cybersecurity policy.
If you have the opportunity, working to set and enforce sensible cybersecurity policy could be highly impactful.
Want one-on-one advice on pursuing this path?
If you think this path might be a great option for you, but you need help deciding or thinking about what to do next, our team might be able to help.
We can help you compare options, make connections, and possibly even help you find jobs or funding opportunities.
Learn more
- Podcast: Nova DasSarma on why information security may be critical to the safe development of AI systems
- Mitigating catastrophic biorisks — a talk by MIT professor Kevin Esvelt about why advanced information security is important for reducing biorisks
- Information security considerations for AI and the long-term future — an Effective Altruism Forum post by Jeffrey Ladish and Lennart Heim
- Podcast: Bruce Schneier on how insecure electronic voting could break the United States — and surveillance without tyranny
- Security Mindset and Ordinary Paranoia — an analysis by Eliezer Yudkowsky of the Machine Intelligence Research Institute
- OK, So I Need Security. Where Do I Start? — a white paper by Lyde Andrews of SANS
- How to build a cybersecurity career — a blog post by Daniel Miessler, an infosecurity professional with more than 20 years of experience
- Information security careers for global catastrophic risk reduction — an Effective Altruism Forum post by by Claire Zabel and Luke Muehlhauser of Open Philanthropy
Notes and references
- This account is based on public reporting of the incident in outlets including Vox, Vice, and CNN.↩
- “‘This is a legitimate email,’ Charles Delavan, a Clinton campaign aide, replied to another of Mr. Podesta’s aides, who had noticed the alert. ‘John needs to change his password immediately.’ With another click, a decade of emails that Mr. Podesta maintained in his Gmail account — a total of about 60,000 — were unlocked for the Russian hackers. Mr. Delavan, in an interview, said that his bad advice was a result of a typo: He knew this was a phishing attack, as the campaign was getting dozens of them. He said he had meant to type that it was an ‘illegitimate’ email, an error that he said has plagued him ever since.” See The New York Times.↩
Jamie_Harris @ 2023-01-30T22:47 (+8)
"You can have an outsized impact relative to another potential hire by working for a high-impact organisation where you understand their cause area. This is because information security can be challenging for organisations that are focussed on social impact, as industry standard cybersecurity advice is built to support profit motives and regulatory frameworks. Tailoring cybersecurity to how an organisation is trying to achieve its mission — and to prevent the harmful events the organisation cares most about — could greatly increase your effectiveness."
This part feels pretty crucial for the argument that this is a high-impact career path; otherwise orgs working on AI safety, biosecurity etc can presumably just hire professionals without much context or interest in their cause area.
But I find it surprising.
Do orgs report struggling with this? Can't they just draw their hires/contractors' attention to the specific issues they're most concerned about, and explain how their needs differ from the norm?
Jarrah @ 2023-02-05T09:24 (+10)
The problem might come down to security being nuanced, complex, hard to measure, needing to be tied to the mission to be effective - so it often requires a lot of judgement . In my experience it's easy for contractors to apply the same cookie-cutter security they've always done, and miss the point.
Two real examples that may be illustrative:
An company with altruistic goals wanted to reduce the risk of a compromise that could prevent them from achieving the mission, so they hired contractors to support cybersecurity. The contractors recommended working on security policy and set to work on it. One of the benefits of policy is demonstrating security compliance, so that other businesses are comfortable buying your services. The policies were designed along these lines, even though sales wasn't the true motivation for security, and was out of touch with the organisation's culture. For example, staff were told that they had to follow it for the good of the company, including "don't be the reason [company] loses a sale".
The company's motivation and culture was explained clearly to the contractors. But it's unusual for an organisation to care about their mission more than money, and common for companies to pretend, so I can understand why the contractors had a hard time understanding.
Another example of disconnect is that many companies and security professionals explicitly do not attempt to defend against nation state attacks, and ignore external harms. I talked to a sucessful cybersecurity professional (CISO at a large tech company) about the security difficulties faced by AI startups and the damage that could be done to the world by the leak of powerful technologies. One of their recommendations was for AI labs to get cyber insurance so they would be financially protected against a compromise. I argued that this doesn't protect against a foreign state brainwashing its citizens with a large language model, and they agreed, but their initial reaction was that the AI lab can't get sued over that anyway. In fairness I don't believe they were callous - just not used to thinking about risks beyond company suceess and survival.
Different contractors may be better, and there may be some out there that 'get' it, but it's an added difficulty when it's already hard to get and vet information security expertise.
I think it can work to hire contractors for specific technical tasks that require a high amount of expertise and not as much mission judgement, e.g. deploy a security product.
I don't believe the issue is limited to information security - I rememberTara discussing the difficulty of outsourcing financial accounting.
Jamie_Harris @ 2023-02-06T11:56 (+2)
Thanks! This reply is very helpful.
If the bottleneck is essentially about people with relevant expertise not 'getting it', then I tentatively suspect that the ideal model for this path for relevant orgs would look like a consultancy. E.g. advice about how to manage contractors, and helping to onboard contractors, rather than trying to ~do the work.
If that's right, then it suggests that we need relatively few people actually developing this skillset.
(Similarly to how mental health is instrumentally very important for doing good, and it's great that there are people thinking specifically about mental health in the context of maximising positive impact, but I still wouldn't recommend 'psychiatrist/counsellor' for (m)any people who hadn't already built up a bunch of relevant expertise.)
Yonatan Cale @ 2023-02-08T13:22 (+6)
I think I'd start with solving the problem for 1-2 EA orgs, in the spirit of "do things that don't scale", and once that works (which will probably be hard in several unexpected ways), I'd try to scale to a consultancy that helps 10 orgs at once.
This is only based on my unverified guess about making a product that would fit what the orgs would say "hell yes" to, and my unverified-in-this-situation intuition that starting by trying to solve the problem in a scalable way before doing it for 1-2 "individuals" usually doesn't work.
(I can elaborate on my intuitions, but if someone read this and disagrees - I encourage you to ignore what I wrote)
Regardless of building a solution (consultancy?) that orgs will say yes to, I also think there's something healthy of having a single person in the org (the head of security?) who is personally responsible for the security going well (having "power" to make decisions, having information and knowledge to either make decisions or vet other people's opinions), and this often isn't the situation with consultancies, who are not in fact responsible in the way I mean.
I can also imagine a trusted consultancy that very specifically helps hiring competent people to be "head of security".
[rough thoughts, not my expertise]
Yonatan Cale @ 2023-01-25T23:08 (+4)
Ohh great post! Some thoughts [the subtext is "I'm excited you're writing about this"]
I agreee, Infosec is under rated in EA
Specifically in orgs that have dual-use information on their computers.
More specifically, I'm in favor of air gapped networks for orgs that have strong AI capabilities. I'm aware this is a "big ask" and that nobody would take it seriously today. But if we'd have more infosec professionals who could help set up very secure networks, that would probably help, I guess.
Common misconception: "information security" is a single profession
Sometimes people want to "get into working on information security" but this seems (if I may exaggerate to make a point) like asking "how to get into working on computers". It's a big field!
I think the post does a good job in distinguishing some of the sub-domains, I'd like to add to it:
- Building information security systems VS using information security systems
- Naive example: Are you writing code for a new anti virus product or are you making sure the anti virus that your org bought is set up correctly?
- (I think EA mainly needs the second option)
- Attacking vs defending
- (I think EA needs the latter, and I'd caution against "practicing attacking for years as preparation for defending" which I think people sometimes do. Not certainly a mistake, but not something I'd do by mistake)
- Deciding what the org's policy will be vs implementing a policy that you can't change
- For example, are you trying to convince the CEO that people in the org should not install chrome extensions except from a specific white list, or are you trying to get the 100 employees to install a "chrome extension blocker" (or whatever) on their computers and get it done in a week?
- (I think, though uncertain, that EA needs both)
University degree?
This post has a heading "how to enter [tech profession X]" and has a sub-heading of "entering with a degree". Is this a recommendation for people to get a degree? Is this just noting that if someone already has a degree then they might have an easier time? I don't know if your post might be (unintentionally?) nudging people to persue a degree, maybe
(My background, anyone cares)
I spent 6+ years of my career doing information security, mostly as a software developer, including in the IDF and in 2 infosec startups.
Jarrah @ 2023-02-05T09:44 (+3)
Air gaps can function in networks that don't need to have much data coming in or out. This used to be the case for industrial controls systems and maybe weapons systems. But even when I've talked with industrial control systems experts on it, they recommended against it, because the gap will be plugged due to operational necessities whether you like it or not. Often it ends up being dirty USB drives bypassing your security that you have no control over. I strongly believe that the volume of external data processing needed by AI research means airgapping is impractical.
If someone has enough IT skills to get an entry-level position, I would encourage them to take that route. If they don't, then I would nudge them towards a degree that both will help to motivate them and to gain a credential to help them get in the door.
Yonatan Cale @ 2023-02-08T09:55 (+3)
I agree these are problems, but disagree they don't have solutions. (I was in the IDF where we did things to address these problems)
Also, the goal of defense is making offense very costly, it's not "making offense impossible".
We did, for example, allow data transfer, but there were limitations on it. Specifically USB drives were not allowed at all, and blocked from use on the computers themselves. If you wanted to transfer data, you couldn't bring your own usb drive, you had to use a specific organizational protocol for it.
Sorry I'm not giving specifics here. My main point is that I've seen solutions to such problems in a real working air gapped network that I personally used for my development work
Yonatan Cale @ 2023-01-25T23:14 (+3)
Also, I hypothesise EA needs more "head of security" people who can do everything from "explain to the CEO that the cost of stealing all of our intellectual property right now is around $100k" to "decide on useful policies and help the employees not be too annoyed by them", including "here are tradeoffs we can chose to make, and here are clever ways we can get extra security at very low cost". Another non trivial task is "hire people who actually understand security".
Do you have opinions on whether I'm right here?
If so, it might be worth thinking about how to get more such people. Seems hard
Jarrah @ 2023-02-05T09:51 (+3)
I think you're right here. It tends to be senior people who have that capability, and there's not enough of them in the industry. What makes this especially hard for us is that EAs tend to be younger and early to mid-career.
Cody_Fenwick @ 2023-01-26T17:03 (+3)
Thanks Yonatan! I was the editor of this review.
The section "How to enter infosecurity" has one section which discusses how to enter the field with a university degree. But it also notes: "However, you shouldn’t think of this as a prerequisite — there are many successful security practitioners without a formal degree." The following section discusses how to enter the field without formal training.
Whether any given individual should pursue a degree depends on a bunch of individual factors.
Your suggestion that EA orgs should have a "head of security" of some sort sounds plausible in many cases. But a lot will depend on the size of the organisation, its specific security needs, what other duties this person would be responsible for, etc., so it's hard to be generally prescriptive. As the review lays out, there's likely to be an ongoing security needs for many impactful orgs for the foreseeable future, and expertise in this domain will be needed at a variety of levels.