I also find vulnerabilities.

The desktops per admin are consistent enough to be useful in this regard. That leaves the percentage of employees as determining factors. (Though Adam brought up in a private email that I assume a 1:1 relationship between desktops and employees and this may be erroneous). The BLS is the most reliable source of information I know of to get this number.

Your attempt at describing IT organizations is admirable albeit weak. The department/job title doesn’t matter – functional responsibility does. (Btw, security folks rarely actually patch systems – that’s why I am fairly liberal with my qualifications).

I said zero and we are at five. You said “hundreds” and we are at five. You are off by at least 195; I am off by 5 so far. Come see me when I have 101. It should really be easy, given that you think there are so many.

Fully built-out teams for functional areas is an enterprise-ism (1000+ employees). Dedicated security staff is an enterprise-ism; dedicated security *teams* is a large-enterprise-ism.

You’ve done enough “thinking” about this topic to assert that there are no such people as operational vulnerability researchers in the Fortune 500, but perhaps not enough to look past BLS stats to find any report on how enterprises staff IT.

This is an interesting point. The Bureau of Labor & Statistics here (http://www.bls.gov/news.release/cewfs.nr0.htm) says that companies w/ 1k or more employees make up 37.4% of total employment. I would take a swag that 3k and above might make up 20% of total. Assuming that the ratio of admins per desktops is similar regardless of whether the companies are small or large means that we can carry across that 20%.

I have two so far. How many researchers do you think they are? I really haven’t thought much about this proportion and what it might mean.

What do you think?

You still haven’t corrected your original post, where you assert that you believe no enterprise operational vulnerability researchers exist, despite the fact that you know that not to be true. And, obviously, you persist in implying that these people are hard to find, despite the fact that there is no evidence to suggest that they are.

I suspect you’re taking the very narrow end of a power distribution.

You are right that I had one addition. Other than that, it might be useful for you to consult with friends who have operational experience to understand what I mean.

If you have specific information about researchers, please let me know. Other than that, you are simply trolling my blog.

Just saying that you’re not being disingenuous doesn’t make it so.

No, it’s not disingenuous at all. I have been given leads that don’t satisfy my requirements and I am trying to make them easier. To date, I know of one person who likely satisfies the criteria.

I actually expect this to be very hard to do, especially given that the leads I was given completely misconstrued what I was looking for.

Given the difficulty, I haven’t really spent much time on it. My request is still a fairly recent one, and I was not expecting to update folks so soon. You seemed to want a speedy conclusion, so I made the reqts lighter.

There is too much smoke and mirrors in the security world, and I don’t like pseudo-security through obscurity. I think we should all come clean about our interests here and let the data go where it may.

I want to be clear, though – simply having worked for a company with greater than 3,000 endpoints does not qualify someone for this recognition.

I’d like to ask your readers: what attracts you to posts overtly designed to mislead you?