> I've met lots of security consultants who did not have backgrounds in math or compsci.

My experience both working at and with higher end consultancies is that there is no correlation whatsoever between those degrees and any particular consultant’s competency. Some of the best people I’ve worked alongside have been college dropouts and Religion majors.

Likewise, I've never found any correlation between those degrees and security improvements delivered by consultants. Honestly, the best security consultants I know of are essentially con men (and women!) who have devoted their amateur psychological instincts to good. You can apply all the best tech but without organizational change it won't last. On the flip side if you bring organizational change to adopt security in depth as a value then even substandard tech can serve the purpose. In that vain, the best security consultants (meaning someone hired temporarily for their expertise – not a long term employee hired by renewable contract) are those who can imbue leadership with the vision of their organization as one that benefits financially from security as a cultural value. I'm not sure who did this for Apple but they are a good example of a company that has benefited from a reputation earned by truly valuing security instead of trying to merely make sure everything is secure.

Sorry for the late reply, but I chose the term "background" over "degree" for this very reason.

One of the biggest problems in the security industry is a misconception that security and computer science are the same. They aren't at all.

If you're doing low level design of crypto algorithms, you need to know math. If you're doing appsec reviews or pentests, then a background in software development might help (but is not required).

But there is an entire world of security roles out there that are essential to implementing security that have nothing to do with math or compsci. The security industry right now has a huge problem with gatekeeping, where they think you can't even begin to think about security unless you're already a top-tier principal engineer, and it's led to a huge drought of talent in security roles across the board.

So true. When I was a student, I aced most of my classes from math theories to ee. But took one cryptography class and everything went over my head.

To this day, its hard for me to tell during hiring what makes a good security hire.

And yet, (correct me if I'm wrong), a good security person does not need to understand cryptography. He should have some basic understanding of how to apply it, but the knowledge of it's internals and the math behind it is pretty much useless.

Yeah from the outside looking in, to me the biggest requirement is one of mindset, thinking like an attacker, thinking of all the possibilities… in that sense very much like the qualities for a good QA person

true, crypto(graphy - wow, been so long since i've typed it that I've just realized crypto has now been bogarded for something else). theory vs applied but I think its still true the mindset of a hacker is still very different. ie similar to the whole IT vs dev

I don't really agree with "they aren't at all". If anything, engineering skills are extremely undervalued in infosec.

> I'm sure it's both. As in, much of what they did spend likely went to snake oil salesmen. I've met lots of security consultants who did not have backgrounds in math or compsci.

I'm going to bet that they did have qualified engineers, because I like to assume the best in people, but I also assume that those engineers may not have been able to make the changes they want to.

In my experience in big companies, corporate bureaucracy and a complete unwillingness to change processes or systems is usually a bigger hinderance to security than the skill level of consultants/engineers.

You can't easily "bolt on" security to a massive internal ecosystem of insecure projects that has built up over the years. If I had to guess, I would anticipate the software T-Mobile is running includes a lot of legacy that hasn't been fully maintained. If they don't spend the cash to retain developers who built these projects or to keep them maintained, it means there's nobody around who really knows the codebase. And that means funding the little security edge cases is going to be nearly impossible, particularly for an external contractor with a few months.

Worse, the "upper management" will assume it was a talent / investment problem since "they sunk so much money into security". Oh that darn booming industry.

"To think we paid those security consultants so much money to protect our completely unencrypted and exposed database and we still got hacked.

And they had the nerve to suggest we replace this unencrypted database, which an old legacy system needs entirely open root access to with something secure for an eye watering bill - we don't hire security consultants to replace our legacy systems, we pay them to stop unauthorised people accessing the big pile of data we leave in the open.

Get the gall - they even wanted us to change the interface between our two big legacy systems because it was just a CSV file which contained all our sensitive data on it. Wimps! Especially as we told them they could do anything to make our systems secure, as long as they didn't touch those legacy systems."

What do you consider a background in compsci? A few years in the industry?

Because my degree is in Management Information Systems (MIS), but I've done troubleshooting on both performance problems of the O(n^5) variety and problems of the "not covered in the requirements document" variety... Not sure what else I need to understand, say, memory bounds-checking problems or firewall/ACL configuration problems.

EDIT: expanded acronym

What’s MIS?

Management Information Systems. A "business oriented" computer degree. They were popular in the 80s as an alternative to comp. sci. They focus on how to use databases and spreadsheets, and other analytical and management systems. In those days, "decision support" software was a big thing. Is MIS still a thing anymore?

It's still a thing, or at least it was a few years ago. I worked with several recent MIS graduates at a consulting firm in the mid-late 2010s. But I'd never even heard of the degree before that point, I majored in math, minored in CS, and did dissertation work in a business school (admittedly, economics, so not particularly business-y).

I got a degree in it in the early 2010s (technically my university called it Information Science and Technology)

I just say "business and computers and how they go together" when explaining it.

I don't see the connection between a background in math or computer science and exposing unprotected internal network devices to the internet.

Probably memorized a checklist and passed a multiple choice tests or two to become certified.

It's surprisingly easy to get certified. I managed to pass the difficult-by-reputation CISSP exam without any deep knowledge of or really interest in information security. I just took the five-day crash course my company paid for and bob's your uncle, I passed the CISSP.

Of course, I never actually got certified because I left the role immediately afterward and never bothered following up. Moreover, I didn't really meet the requirements, which included having some tenure as a security professional. But I'm sure I could have finagled it if I had any interest in working security (I absolutely did not).

Are there any certifications that require you to solve a CTF or otherwise demonstrate understanding of the field? (Just spitballing, but maybe an oral-defence of strategy against a board of defcon panelists? Etc)

Braindump-able IT certs benefit no-one, and expecting people to have MSc degrees in infosec is elitist and very impractical.

Offensive Security certs (e.g. OSCP) are similar to what you're describing. The PNPT is similar too but also emulates a real-world engagement on top of just needing to root boxes.