这是时下最热门的工作

近日，在拉斯维加斯举行的一年一度的黑帽安全大会和国际黑客安全会议上，这个新的趋势正在显现。这两场活动都在招聘人员方面收获不小。

Rapid7是一家网络安全企业，公司副总裁詹·埃利斯说，“举办大型派对使我们能够结识更多的人才，有利于填补关键职位，并留住优秀人才。” 上周三，公司在客家人酒吧举办的派对成为本周最受欢迎的一场。

20年前，甚至仅仅10年前，技术工程师可选择的工作单位大多限于网络安全公司，而主流公司和政府机构中只有少量工作机会。

然而随着技术统领世界，安全领域的就业机会得到爆炸式增长。

那些过去与高科技毫不相干的行业现在都需要安全保护，包括汽车业、医疗器械业和不断扩大的物联网，从恒温控制器到鱼缸，再到家庭安全设备，莫不如此。

现在，有更多保险公司开展了网络安全险业务，而且降低了保费，安保措施更强。律师们也开始要求云服务提供商确保客户数据安全，如果客户数据被窃，那么云服务商必须承担责任，这意味着技术公司也需要安全专家。

网络安全和教育中心是一家对安全专家进行认证的非盈利组织。该中心上个月做出预测称，2022年全球网络安全工程师将出现180万的人员缺口。中心称，三分之一的招聘经理计划将他们的安全团队至少增员15%。

对于那些喜欢在程序里找漏洞，而不是保卫系统的白客，现在有大量的公司向员工提供“漏洞奖金”或正式奖励，鼓励员工发现并汇报那些会让公司暴露在危险下的安全漏洞。

一家专门处理这些项目的公司HackerOne表示，自2014年以来，该公司已经支付了1880万美元，用于修复50140个bug，其中有一半是在去年一年中完成的。

去年，马克·利奇菲尔德入选了公司的“白客名人堂”。他是第一个通过该平台获得超过50万美元奖金的员工，这笔奖金比他上一份在咨询公司NCC Group的全职安全工作挣得还多。

利奇菲尔德说，“在过去，唯一的回报就是得到好名声，媒体会报道你。而现在的回报是钞票。”

最近还出现了其他一些赚钱的方法。贾斯汀·博恩的医疗白客公司MedSec去年走出了前所未有的一步。该公司公开与一位卖空股票的投资者合作，赌这些股票将贬值。

这是一场激烈的交锋，但圣裘德医疗公司最终确保了它的Pacemaker显示器的安全，这些设备原本会成为黑客攻击的对象。博恩预测道，还会有其他人尝试同样的方法。

博恩说，“我们这些网络安全迷花了很多时间，通过与公司合作，试图找到这些公司可能或不可能自己修复的漏洞，让世界变得更美好。””

“如果我们能够用我们的专业知识帮到客户、媒体、监管机构、非盈利组织、智库，以及金融行业的员工、投资者和分析师们，那我们就是真的开始在帮助企业理解它们所处的外部环境。”

Veracode是一家代码审计公司，今年4月被CA科技公司收购。Veracode的联合创始人之一克里斯·维索普尔称，他最初对MedSec的做法表示怀疑，但后来还是采用了这一做法，部分原因是这一做法的确有成效。他和博恩一起出席了黑帽安全大会。

维索普尔在采访中说道，“许多人认为，软件市场和硬件市场都处于不正常的情况，是一个‘柠檬市场’，因为消费者并不知道他们购买的产品安全度有多高。”

“我很希望能看到有人在努力修复这个四分五裂的市场。保护网络安全并从中获利，这似乎是资本主义经济下最好的办法。”（财富中文网）

译者：Amelia Huang

The new reality is on display in Las Vegas at the annual Black Hat and Def Con security conferences, which now have a booming side business in recruiting.

"Hosting big parties has enabled us to meet more talent in the community, helping fill key positions and also retain great people," said Jen Ellis, a vice president with cybersecurity firm Rapid7 Inc, which filled the hip Hakkasan nightclub on last Wednesday at one of the week's most popular parties.

Twenty or even 10 years ago, career options for technology tinkerers were mostly limited to security firms, handfuls of jobs inside mainstream companies, and in government agencies.

But as tech has taken over the world, the opportunities in the security field have exploded.

Whole industries that used to have little to do with technology now need protection, including automobiles, medical devices and the ever-expanding Internet of Things, from thermostats and fish tanks to home security devices.

More insurance companies now cover breaches, with premiums reduced for strong security practices. And lawyers are making sure that cloud providers are held responsible if a customer’s data is stolen from them and otherwise pushing to hold tech companies liable for problems, meaning they need security experts too.

The non-profit Center for Cyber Safety and Education last month predicted a global shortage of 1.8 million skilled security workers in 2022. The group, which credentials security professionals, said that a third of hiring managers plan to boost their security teams by at least 15%.

For hackers who prefer to pick things apart rather than stand guard over them, an enormous number of companies now offer "bug bounties," or formal rewards, for warnings about vulnerabilities that leave them exposed to criminals or spies.

One of the outside firms that handle such programs, HackerOne, said it has paid out $18.8 million since 2014 to fix 50,140 bugs, with about half of that work done in the past year.

Mark Litchfield made it into the firm's "Hacker Hall of Fame" last year by being the first to pull in more than $500,000 in bounties through the platform, well more than he earned at his last full-time security job, at consulting firm NCC Group.

In the old days, "The only payout was publicity, free press," Litchfield said. "That was the payoff then. The payoff now is literally to be paid in dollars."

There are other emerging ways to make money too. Justine Bone's medical hacking firm, MedSec, took the unprecedented step last year of openly teaming with an investor who was selling shares short, betting that they would lose value.

It was acrimonious, but St Jude Medical ultimately fixed its pacemaker monitors, which could have been hacked, and Bone predicted others will try the same path.

"Us cyber security nerds have spent most of our careers trying to make the world a better place by engaging with companies, finding bugs which companies may or may not repair," Bone said.

"If we can take our expertise out to customers, media, regulators, nonprofits and think tanks and out to the financial sector, the investors and analysts, we start to help companies understand in terms of their external environment."

Chris Wysopal, co-founder of code auditor Veracode, bought in April by CA Technologies, said that he was initially skeptical of the MedSec approach but came around to it, in part because it worked. He appeared at Black Hat with Bone.

"Many have written that the software and hardware market is dysfunctional, a lemon market, because buyers don't know how insecure the products they purchase are," Wysopal said in an interview.

"I’d like to see someone fixing this broken market. Profiting off of that fix seems like the best approach for a capitalism-based economy."