Is information security a phantom career choice? Does it exist because it’s a natural reaction to a force that cannot be controlled? I’m beginning to think it is.
I’m well aware of what it takes to protect a live, multi-user, multi-vectored network. I’m familiar with Richard Bejtlich’s works, theories and methodologies. I’m a seasoned programmer and I’m excellent at developing my own tools; whether they’re for analysis, recon, or real-time situational awareness. However, what I’m not willing to do is kill myself or sacrifice my youth to what I like to call professional rabbit chasing.
My close friends and school mates often ask me why I want to leave security behind. They see my progress and current career state as enviable and profitable; alas, they’re on the outside looking in. From an outsider’s perspective, information security seems like a fun and rewarding career. You get to dig into the trenches, hunt down digital bad guys and develop strategies to protect networks against intruders. I’ll admit there are fun aspects to the industry, but the reality of the situation is an overwhelming burden of stress and a high probability of infosec burnout.
Infosec burnout is becoming more common and it’s starting to get some attention. Having been in the industry for almost 8 years, I can confidently say that it’s an area that needs attention. I admit, it’s fun and interesting to be at the forefront of what’s increasingly becoming a major topic of international socio-economic issues. Everywhere you turn there’s some mention of data breaches, hackivism, NSA leaks or cyber-terrorism. The importance of information security is taking off at an alarming rate and truth be told, it was just a matter of time.
I was 12 years old when I realized that computers and information were the way of the future. This was the year 1995. I was obsessed with anything and everything computer related and dedicated myself to learning as much about them as I could. I was no stranger to stealing books from school, rummaging through the dumpsters of CompUSA, and riding my bike 15 miles to thrift shops/flea markets/computer conventions just to get my hands on some new equipment or meet someone that could open my world up to something new. I knew there was something to be found within the confines of those copper wires that were beginning to connect the world over, I just didn’t know what it was or what it meant.
Flash forward to 2013 and everyone’s got a Linux machine in their pocket, the primary way in which people communicate and share their lives is through a social web site and if you don’t know how to type, you’re practically worthless in our increasingly high-tech society. It’s safe to say that the culture from which I came is long gone and the complete commercialization of computers, networks and more specifically “Information Security” is alive and kicking.
I came from an era where the term Information Security didn’t really exist. To be interested in computer security was a rebellious mindset; one that was rooted in angsty adolescence and the acknowledgement that intelligence didn’t necessarily mean straight A’s and a full ride to Brown. Individuals like me that had an affinity for programming and dare I say, hacking, were interested and drawn to the LCD because there was something to be found, discovered and explored. How were we to know that the endless pursuit of fun, creation, art and power would ever be packaged up, labeled and sold to the corporations of the world?
Those from my generation are the true pursuers of this forbidden knowledge. As information security becomes more main-stream it will evolve into a 9-5 job that will lack any and all passion. It is the passionate ones that have the dedication, will and interest to protect the world’s data, but they are now too few and far between. Those that have a passion for security, networking, coding, and ultimately hacking, do it for reasons that the masses and the average infosec 9-5er cannot explain. Unfortunately these individuals are the worst possible candidates for filling a seat in an information security position.
Information security personnel, once jaded, become liabilities. I speak from experience because the amount of knowledge I’ve acquired over the last 7-15 years cannot be taken away from me. In the modern high-tech and interconnected world that we live in, skills that I have honed over the majority of my life make me not only dangerous, but sketchy, shady and a threat to anyone who uses computers and networks to do business or live life; basically everyone. I don’t find the same joy and satisfaction that I used to get from learning something new about security. I think it’s due to the fact that I’ve realized that security is something that can never be mastered and to pursue mastery in a field as broad as information security is emotional, mental, and professional suicide. My perspective is also brought on by the amount of work I take for my employer as I’m the only information security professional in the organization, but I digress.
Eventually, I will get as far away from information security as I possibly can although that may be a less than economical decision considering there’s so much money to be made by exploiting it. It’s very difficult for me to dedicate myself to something that feels like such a lost cause. When I consider the amount of work and sacrifice it takes to just stay current within information security, I’m reminded of the life I want to live; a life that does not include sitting sedentary in front of a computer during the late night hours of my progressively stressful and sleepless life.
Because information security requires the commitment of after hours functioning, it has no choice but to breed an anti-social discernment. Those that don’t have the time or interest to put in the extra hours will never be sharp enough to make enough of a difference. Those that have the interest will eventually realize that their time is more valuable than sitting around in their office, tinkering away at something that only a handful of people will appreciate. In my experience, as a hacker gets older and the reasons he/she became a hacker in the first place begin to fade into obscurity, the really good things in life begin to take priority over what was once the most important thing in the world to them. We can’t stay up all night for the rest of our lives.
Information security won’t just affect your social life; it will also begin to take effect on your physical health. To stay abreast, current, sharp and effective, one has no choice but to sit for long periods of time, burn the midnight oil and stay awake when everyone else is snoring. I suppose this was fine when we were kids, but as adults, sleep becomes more and more important for a healthy lifestyle.
I have to ask myself what the point is. How much of a difference can you really make working in information security? Is the job worth the stress when nothing you do can completely eliminate the threat of compromise? Is the job worth the stress when every day you drive home and think to yourself, “Did I make a difference today?” Is the job worth the lack of sleep, inevitable social sacrifices and adverse effects to your health? To some it does because it’s profitable, new and growing in popularity. But to those that haven’t been around long enough to have developed a solidified perspective and dedication to what it takes to implement effective protection, I’m convinced the phantom position is for you.