I had a meeting today with a "cybersecurity expert" who was consulting a big company that had no idea what a hash function was. Literally no idea, as in "never heard the term before".
I explained the concept to her and she started referring to it as "encryption", I told her it wasn't encryption and she immediately started to debate me about that. Let that sink for a bit, she really thought she knew more than me about a (fundamental) concept that I just introduced to her world a few minutes before.
There's a plague of incompetence and mediocrity everywhere, and that is one cause for the issues that OP is talking about. It won't get any better soon so expect to have a lot of fun in future years.
security folks sometimes dont realize the connection between Hash functions (for data structures) and Cryptographic Hashing (aka digest) functions. Perhaps that was the confusion?
No I have definitely seen people with fancy titles around data security and now also GDPR 'specialists/consultants', who lack the most basic CS knowledge, sometimes coming from other fields like business and administration.
People will chase opportunities wherever they find them, if you have a good network and managers who are as clueless as you then you can absolutely fake it till you sort of make it (in large enough corps).
To this day i haven't met a security consultant or data protection person that had any idea what they were talking about. I'm not talking about experts, but people that were appointed and got the title "Security something".
Most of them were regular business people that just parrot some buzzwords like "Encryption" and "at least 256 bit".
I don't understand this. When I think of security people, I immediately think of articles where they describe how they made a timing attack which caused a race condition, which allowed them to overwrite the stack, and do arbitrary code execution via return-oriented-programming.
I'm reminded that these people exist and can routinely do stuff like this (or even more insane), and even though I've considered myself knowledgeable about this stuff, It makes me feel like the monkey looking at the monolith in 2001.
Their "security advice" consists of parroting back stuff they read on blog posts, LinkedIn, and places alike.
"Change your password every 3 months", "did you enable 2FA?", blah blah blah.
Add clueless managers (as other commenter said) and some nepotism to the mix and that's how they get some contracts with big names (Microsoft, Oracle, ...)
Afterwards it only gets better for them because they can advertise they were "part of the security auditing team at <big company>, reporting directly to the VP"; even though their only real useful task was to keep warm coffee at hand.
This happens continuously until one day someone in a meeting asks them about a hash function and they are absolutely clueless and the show falls down; or it could be much worse and go on until an entire community has to pay for it with life-long consequences (see Flint), or until billions of dollars become lost/stolen (see Madoff, Holmes, your choice of weekly crypto scam), or until planes start falling out from the sky because of a newly-developed "feature" (see Boeing 737 MAX), ... the list goes on forever.
We live in an era of mediocrity disguised as a (fake) meritocracy, with all the consequences it implies.
I explained the concept to her and she started referring to it as "encryption", I told her it wasn't encryption and she immediately started to debate me about that. Let that sink for a bit, she really thought she knew more than me about a (fundamental) concept that I just introduced to her world a few minutes before.
There's a plague of incompetence and mediocrity everywhere, and that is one cause for the issues that OP is talking about. It won't get any better soon so expect to have a lot of fun in future years.