Is Incident Response experiencing a bubble?

Today in the CactusCon Community Discord server (, someone was asking the group for thoughts regarding whether or not IR is experiencing a bubble. I wrote a mini-novel of an answer, so I wanted to share it here on my blog.

I believe that InfoSec in general is experiencing a sharp rise in popularity, mostly due to the need brought about by more consistent attacks. I don’t personally see IR consulting in a bubble, nor do I feel InfoSec in general is in a bubble at this point. There’s simply not enough security practitioners to go around. However, what we are seeing is a massive push by institutions to train people in the ways of cyber security.

Just think of how many random commercials or advertisements you’ve seen from entities claiming to get people ready for a “career in cyber” in less than a year? Perhaps I’m bias, or just an old fool at this point (I’m nearly 40, am I old now?!), but I don’t believe someone can change careers from non-IT whatsoever to cyber security. Our realm requires intimate knowledge of so many IT-based trade crafts… it’s VERY difficult to learn all that in a year. Or two. Or three even. Doable for some, but not for the masses.

As for the need for InfoSec/cyber security/whatever the heck we call it — Not counting APT or related nation station-sponsored attacks, we’ve seen the rise and fall of EKs that has led now to InfoStealer/Banking Trojans that are tearing into organizations of all shapes and sizes. Even most ransomware cases now begin with a “banking trojan.” Remember the BlackHole EK? I look at BHEK as the initial “oh wow this works” venture into the malware-as-a-service (MaaS) regime. From there it was on like Donkey Kong. Now we’re in the days of Emotet/TrickBot/IcedId. Attacks don’t have to be targeted at all. Malspam campaigns take care of that. And as more and more malware authors focus on *-as-a-service offerings, we’re going to see even more need for blue team practitioners around the world.

As for insurance companies, they use approval boards that are shaping the IR consulting teams of today and tomorrow. If you have a given insurance carrier, you have to use one of their approved IR firms. For example, the massive cyber insurance providers have a limited number of approved firms. Many of those firms are experiencing a huge growth spurt, and I firmly believe this is due to their relationships with insurance companies.

While I see a sharp and increasing rise in the number of InfoSec related jobs, training programs, and the like, I don’t think we’re anywhere near a bubble at this point. You can’t open a req for a senior let alone principal and get a gratuitous number of qualified applicants. BUT, I do believe that we’ll eventually get to the point in which we find ourselves in a bubble. That perhaps won’t happen for a number of years. Perhaps… 10+?

The one thing I keep thinking about is this: What if we go the way that Russia went? When the communist party began shutting down communist training camps, they began converting those centers into IT training camps. They realized the importance of IT skills, so they pushed that agenda. That allowed them to create a massive pipeline of IT-trained potential employees. Given the economic conditions and lack of IT jobs, many of those specially-trained people went rogue. Many of them turned to the “dark side” of malware development.

What if other countries follow suite, just over a longer duration? What if we keep pushing cyber security to the point at which the market is saturated? What will those folks end up doing? The folks we don’t have now… the qualified or even over qualified security professionals… what if they too turn to the dark side? Is that what the security bubble burst will lead to?

Leave a Reply