employment market for applied cryptographers?

Thu Aug 15 21:23:05 EDT 2002

On the employment situation... it seems that a lot of applied
cryptographers are currently unemployed (Tim Dierks, Joseph, a few
ex-colleagues, and friends who asked if I had any leads, the spate of
recent "security consultant" .sigs, plus I heard that a straw poll of
attenders at the codecon conference earlier this year showed close to
50% out of work).

Are there any more definitive security industry stats?  Are applied
crypto people suffering higher rates of unemployment than general
application programmers?  (From my statistically too small sample of
acquaintances it might appear so.)

If this is so, why is it?

- you might think the physical security push following the world
political instability worries following Sep 11th would be accompanied
by a corresponding information security push -- jittery companies
improving their disaster recovery and to a lesser extent info sec
plans.

- governments are still harping on the info-war hype, national
information infrastructure protection, and the US Information Security
Czar Clarke making grandiose pronouncements about how industry ought
to do various things (that the USG spent the last 10 years doing it's
best to frustrate industry from doing with it's dumb export laws)

- even Microsoft has decided to make a play of cleaning up it's
security act (you'd wonder if this was in fact a cover for Palladium
which I think is likely a big play for them in terms of future control
points and (anti-)competitive strategy -- as well as obviously a play
for the home entertainment system space with DRM)

However these reasons are perhaps more than cancelled by:

- dot-com bubble (though I saw some news reports earlier that though
there is lots of churn in programmers in general, that long term
unemployment rates were not that elevated in general)

- perhaps security infrastructure and software upgrades are the first
things to be canned when cash runs short?  

- software security related contract employees laid off ahead of
full-timers?  Certainly contracting seems to be flat in general, and
especially in crypto software contracts look few and far between.  At
least in the UK some security people are employed in that way (not
familiar with north america).

- PKI seems to have fizzled compared to earlier exaggerated
expectations, presumably lots of applied crypto jobs went at PKI
companies downsizing.  (If you ask me over use of ASN.1 and adoption
of broken over complex and ill-defined ITU standards X.500, X.509
delayed deployment schedules by order of magnitude over what was
strictly necessary and contributed to interoperability problems and I
think significantly to the flop of PKI -- if it's that hard because of
the broken tech, people will just do something else.)

- custom crypto and security related software development is perhaps
weighted towards dot-coms that just crashed.

- big one probably: lack of measurability of security -- developers
with no to limited crypto know-how are probably doing (and bodging)
most of the crypto development that gets done in general, certainly
contributing to the crappy state of crypto in software.  So probably
failure to realise this issue or perhaps just not caring, or lack of
financial incentives to care on the part of software developers.
Microsoft is really good at this one.  The number of times they
re-used RC4 keys in different protocols is amazing!

Other explanations?  Statistics?  Sample-of-one stories?

Adam
--
yes, still employed in sofware security industry; and in addition have
been doing crypto consulting since 97 (http://www.cypherspace.net/) if
you have any interesting applied crypto projects; reference
commissions paid.

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com