Sorry, yes that's what I meant by bigger "sprawl" at larger companies - should have specified tech sprawl. Not sure I agree w/ you on overall staffing/capabilities on large vs. small, though. I'm also in a position of knowledge here, not quite F50 any longer, but large and globally recognized brand that makes both physical tech and digital products, etc., etc., etc. While of course there is always a ton of room for improvement in both the CISO org as well as biz, every time there is M&A, you generally get to see exactly how much worse it could be.... YMMV, of course. I'm sure there are some smaller shops that do it will (although more likely integrated into the biz vs. centralized) and larger shops that give less of a damn as well.

This, one thousand times over - at least for any technically-oriented cyber discipline. Larger companies are a bit better here as they can afford some degree of specialization so one person doesn't need to know "all the things", but that just likely means that the sprawl is even worse.

Cybersecurity is a big space, does your previous experience facilitate likely success in the roles for which you applied? While cyber, as a practice, hasn't been hit as hard as other functions in the current downturn, it HAS been hit. This has, unfortunately, led to hiring managers taking less "chances" and/or looking at future potential vs. current capabilities because they anticipate a constrained growth vs. demand as the industry has recently been used to. Yes, of course this is part of the skills shortage problem, but there definitely is more of a focus on immediate value/execution vs. growing staff/skills over time. Also, Cyber is still niche enough at most places that recruiters are pretty terrible at screening for it, add to that that many companies gut their recruiters first when they know hiring is slowing down. Most of my managers end up needing to do even initial applicant screening themselves, which they really don't have the time for - and yeah, that leads to increased assessment delays.

Your first paragraph seems to be constrained to a GRC function in cyber. There really aren't many skills shortages there, as the baseline prereq/skills needed to be successful is relatively small. While GRC does serve a necessary purpose, it is mostly checkbox activity and sadly, many companies do constrain their "cyber" orgs do this role, as either technically-driven cybersecurity functions are deemed too expensive or unnecessary for their line of business or size of the company. Your second paragraph demonstrates where the real problem lies. There is a significant baseline "how stuff works" knowledge that is required in order to be successful in a dedicated security function. You need to how technology is -supposed- to be used in order to know how it can be abused. You need to know what mitigations/hardening to apply in order to minimize the chances of that abuse. You need to know the signals the technology may generate as indicators of signs of that abuse, and you need to know how to confirm if there was abuse if those signals start to fire. Then apply that to the amount of technology "sprawl" in any given organization - it's a big lift. Of course, one person is unlikely to know ALL of those things mentioned - which again takes us back to the dilemma of a small-to-midsize company, they can't afford the specialization required to be effective. Which while not-so-great for the world at large, I suppose it does benefit the big guys, because we can't find the talent even if we can (within reason) afford it.

You can get a 1TB NVMe SSD for $60 retail all day long these days. Granted, much of this took place years ago, but they also probably weren't putting 1TB in either, probably 256 or 512.

No they didn't. A best the 1.1B was revenue, there is no way they are pulling ~30% margin on wholesale at that quantity. And the "1.1b 'worth'" statement suggests they are using retail value to determine the 'worth'. Doing the math, they said they shipped 7.4m devices, which averages $150/device - that very much looks like retail pricing to me, there is no way Huawei was throwing in drives that, on average, cost THEM $150.

By itself, nothing. However, most modern VPN solutions can require both user and device authentication, as well as various other host posture checks that typically can mitigate many identity-based compromises. Unless I haven't been keeping up, vanilla mTLS, not so much. While is may be more challenging to steal a digital certificate, it certainly isn't impossible if they aren't hardware-protected in a smartcard or TPM or some such, which really doesn't work for mobile and as such frequently makes it a non-starter. I've also seen some really poor mechanisms for provisioning client authentication certificates, which can mean any controls around protecting the certificate on the client device are moot. Granted, traditional "full" VPNs have their own large set of issues, which of course is one reason many enterprises are moving to ZTNA-based solutions Bad guys are getting better, not only from a general maturity perspective, but increasing motivations for their upskilling - in the eCrime space there is plenty of money to be had and in the state actor space, our increasing reliance of (mostly) relatively fragile digital services increases both the military and political value of a potential breach. Short version is that the "(user) identity is the new perimeter" can now be considered a dated concept, no longer sufficient, and increasingly less so. It is necessary to minimize one's attack surface, which cloud services mostly do pretty well by not exposing underlying infrastructure as is still common on many internal enterprise networks (of course, you are making the assumption they aren't exposing their cloud infrastructure to their own employees in such a manner). But also require more advanced authentication and continuous assessment (to look for things such as post-authentication token theft), which are... not so much natively, and beyond the capabilities of most 3rd party SSO solutions that work with said services.

There is more to the directive as well. Amongst other things, any enterprise w/ in-country users or assets/infrastructure is subject to mandatory cyber incident reporting - where "incident" includes things like probing (duh... anything exposed to the internet is more or less constantly being probed), "malware" without any severity/harm/impact thresholds, etc. Basically, the sort of things that any Cyber org in an appreciably large business deals with on a daily basis that really isn't a problem as long as it is quickly detected and contained. Further, the reporting timeline is SIX HOURS. Other bizarre requirements mandating in-country assets not only sync time w/ an NTP service of a specified stratum, but requiring use of -specific- NTP resources. Mandatory log retention of 180 days.... without really specifying types of logs, etc. If the supposed idea is to make the world a safer place, this will have the opposite impact. Last thing that talent-strapped Cyber orgs need is more bureaucracy, especially as one would imagine this might often result in further time-consuming follow up inquiries. Still chasing down all of the implications, but I believe it also requires a named in-country contact that they will toss in jail as a penalty for non-compliance. Actual financial penalty is pretty low - ~120k USD I believe, although not sure how that is scoped (per instance, in aggregate, etc.). Pretty sure whomever drafted this has no idea what they are talking about or asking for, as IMO no one can/will comply with this.

Seriously... if you look closely, nothing in the ever said that there was a link to -violent- behavior, although the slant certainly tries to get one to think that way. IMHO aggressive behavior != violent behavior and is not necessarily a bad thing, in and of itself. I suppose being a bunch of sheep that meekly go where we are herded is something to be applauded in today's society?