On the employment situation... it seems that a lot of applied cryptographers are currently unemployed (Tim Dierks, Joseph, a few ex-colleagues, and friends who asked if I had any leads, the spate of recent "security consultant" .sigs, plus I heard that a straw poll of attenders at the codecon conference earlier this year showed close to 50% out of work).
Are there any more definitive security industry stats? Are applied crypto people suffering higher rates of unemployment than general application programmers? (From my statistically too small sample of acquaintances it might appear so.) If this is so, why is it? - you might think the physical security push following the world political instability worries following Sep 11th would be accompanied by a corresponding information security push -- jittery companies improving their disaster recovery and to a lesser extent info sec plans. - governments are still harping on the info-war hype, national information infrastructure protection, and the US Information Security Czar Clarke making grandiose pronouncements about how industry ought to do various things (that the USG spent the last 10 years doing it's best to frustrate industry from doing with it's dumb export laws) - even Microsoft has decided to make a play of cleaning up it's security act (you'd wonder if this was in fact a cover for Palladium which I think is likely a big play for them in terms of future control points and (anti-)competitive strategy -- as well as obviously a play for the home entertainment system space with DRM) However these reasons are perhaps more than cancelled by: - dot-com bubble (though I saw some news reports earlier that though there is lots of churn in programmers in general, that long term unemployment rates were not that elevated in general) - perhaps security infrastructure and software upgrades are the first things to be canned when cash runs short? - software security related contract employees laid off ahead of full-timers? Certainly contracting seems to be flat in general, and especially in crypto software contracts look few and far between. At least in the UK some security people are employed in that way (not familiar with north america). - PKI seems to have fizzled compared to earlier exaggerated expectations, presumably lots of applied crypto jobs went at PKI companies downsizing. (If you ask me over use of ASN.1 and adoption of broken over complex and ill-defined ITU standards X.500, X.509 delayed deployment schedules by order of magnitude over what was strictly necessary and contributed to interoperability problems and I think significantly to the flop of PKI -- if it's that hard because of the broken tech, people will just do something else.) - custom crypto and security related software development is perhaps weighted towards dot-coms that just crashed. - big one probably: lack of measurability of security -- developers with no to limited crypto know-how are probably doing (and bodging) most of the crypto development that gets done in general, certainly contributing to the crappy state of crypto in software. So probably failure to realise this issue or perhaps just not caring, or lack of financial incentives to care on the part of software developers. Microsoft is really good at this one. The number of times they re-used RC4 keys in different protocols is amazing! Other explanations? Statistics? Sample-of-one stories? Adam -- yes, still employed in sofware security industry; and in addition have been doing crypto consulting since 97 (http://www.cypherspace.net/) if you have any interesting applied crypto projects; reference commissions paid.