A little background: I’ve been a Security “Professional” since 2007. I started at a small company that just did consulting and eventually went to work for the government for 4 or so years. Over time, my idea of what Security work should be and what it actually was grew further and further out. Eventually, I found myself versed and experienced enough to really see the trouble that lies ahead. Yes, I started to realize the absolute inevitability of working in Information Security for a mid-large sized financial organization; there’s nothing you can do to prevent problems and headaches… just detect it, and respond to it appropriately and get back to work.
Business Security: Information Security in a corporate setting, characterized by misused talent, security budget meetings and fancy pie charts for management. Business Security in all its glory is just another department in your typical, large, office building. Business Security is doing a product analysis to determine what DLP solution you want to implement over the next quarter or two. Business Security is being forced to listen to users complain about VPN connectivity when you know damn well it’s their home internet connection. Business Security is satisfying your direct reports… and their direct reports… and their direct reports. Business Security is going to the security conventions to network and pass out your new business cards with that shiny new minted CISSP accreditation appended to your name.
Business Security is what’s wrong with Security.
But it keeps money in your wallet and food on the table you say? This is true, but it comes with the cost of your dignity and reputation. Business Security is a farce. The allegedly more secure firms and organizations are still at risk of compromise because all it takes is a dedicated attacker. Seriously, let me repeat that, all it takes is a dedicated attacker.
It’s not a matter of if you’ll get attacked, it’s when. Everyone at this point is at risk and as a security professional, there’s really nothing you can do to stop it. And consequently, you’ll wind up getting blamed. How can you possibly work to secure every single attack vector your company has implemented in order to appease the employees? Personally, I’m the sole security engineer for my company. Given, it makes me feel great that I’ve found myself in this position, but at the same time, I’m well aware of what’s possible, what criminals are capable of, and how they can and will go about doing it. It’s a stressful profession, and I don’t like stress.
Now, I’ve been in school for Software Engineering for the better part of 3 years. Technically, I’m a junior, but similar to my high school experience, I should have graduated by now. Anyway, I find software development to be the absolute panacea to hyper-paranoid security work. As a programmer, I can literally just conjure up an idea and make it happen. As a programmer, I can turn thought into reality. I can build tools, bridges, communication means, secure transport options, automated robots, slick interfaces, and digital gateways to real world information. Programming and Software Construction is the art of transforming brainwaves into an intangible interactive product. Programming is rooted in creativity and logic. Not only that, but when the solution is built and the requirements are met, you’ve completed something, and you’ve created something as well. Software developers are essentially the Gods of the virtual world. We create the cities, communities, tools and metaphorical vehicles that allow people to navigate and live in these worlds. There’s a power complex to it, and each programmer will tell you they’re a genius in their own mind.
The security world has a few subdivisions that should be mentioned, as not all security personnel are the same. Consider the idea that InfoSec has skyrocketed in the last 10 years as not only a lucrative career, but as a general item of business interest. It has become a hot topic and a magnet for confused college graduates trying to get a good paying job. Entry into the field is simple if you’ve obtained a CISSP (which is a bootcamp and a $500 test fee away) in addition to the degree in Art History you managed to obtain. These watered down newly minted CISSPs find their ways into a companies’ risk management team and voila, 65k/year and the ability to say you work in InfoSec. Now, I’m not saying these people are worthless, because they do have their purpose. I’m saying they’re should be divisions within Security and because there aren’t, these individuals get grouped with guys like myself
--Guys like myself… Now before I delve into the security guy that I represent, allow me to briefly touch upon the hardcore security junkie. The hardcore security junkie is the guy that has no social life but seems to basically know everything there is about security. Hardcore Sec Junkies write highly specialized books on specific topics, blog endlessly about their research, and still have time to watch their companies’ network. These are the people that wind up going into business for themselves doing security consulting because they’re that damn good. These are the guys you want working for you, not against you. Often times, these guys will have a couple of SANS certs, a published white paper and an affinity for energy drinks. (Generalization, I know… don’t hate). These guys you should know exactly what to do with… put them in the basement, let them hack.
Now… Security guys like myself are enigmas. Personally, I’m not obsessed with security. Oftentimes I just want to go home and leave my desk alone. I hardly ever do that, but I do get burnt out. Guys like myself I like to refer to as idealistic generalists. I (we) have an idealistic point of view when it comes to the internet, computer use, security, and software development. The world is bigger than Defcon and Blackhat. The idealistic security generalist should actually not have the word security in the description. I don’t want to put myself in a box and call myself a security professional; I’m so much more than that. I actually like to program. It’s my chosen career choice. I like to go out and meet people, flirt with women and stay active. I realize that I’m never going to have the time to become as incredibly deadly as I want to be with BackTrack but you know what? That’s okay. I’ve said it before and I’ll say it again, security is too wide spread to be mastered, and that’s where the problem is.
Personally, I’d rather study software engineering, which actually has limits to the foundations on which you learn. Given, there’s still a lot to learn, but the difference is in the execution. As a programmer, you can take a learned concept and apply it in many different ways, only limited by your skill-set as a programmer and your imagination. There are no limits in programming and software development once you solidify your fundamental understanding of current construction models and trends (e.g. OOP). As a programmer, you’re only responsible for the attention you've paid to the code that you’ve written. You’re limitless; without limits… no limits. Security on the other hand is one big prison that gets smaller and smaller the more you become aware of security concepts. I challenge any seasoned security professional to tell me they sleep well at night because they’re sure that nothing can go wrong. When you’re a security professional and you’ve trained your brain to think the worst, to consider the weak points of compromise and to find methods of circumvention, everything is insecure to you. Security is not necessarily something you can be good at; it’s just something you increasingly become more versed in. When you continue to practice security you start to realize that everything you do is pretty much useless because you’re aware of what the guys that have all the time in the world are capable of. Nietzsche said, “whoever battles monsters should take care not to become a monster too, for if you stare long enough into the abyss, the abyss stares also into you”. To relate that to the Security Profession, when you’re in the trenches, reading about new exploits every day and the crackers that write them, you start to understand that you’re fighting a losing battle
So for the aspiring security professional I would really give it some thought as to what you think you’re getting into. Do you want to get in as a non-technical analyst, perform some risk assessments and work your way up the corporate ladder, ultimately winding up in an executive security position? Do you want to learn how to “haxx computers”? Are you getting into the industry because all you’re seeing these days are computer security positions? Or are you really just a programmer that wants some more excitement and increased responsibility? Whatever your true intentions, please realize that you will be fighting an army of men and women who will sit around for hours, upon days, upon months, just to come up with effective ways to break into your network, and you’ll likely have no way to prevent it. You’ll spend the majority of your time putting in third-party systems that you hope will bring you some peace of mind, only to get owned by a crafty South American cracker that was targeting cute and susceptible, security ignorant Ashley, over there in Marketing. There is no way to stop the coming storm. There is nothing you can do.
If you’re just into technology and you want to work on computers, why not just become a programmer? It’s actually obvious… it’s because most people don’t have the capacity to be a good programmer. Most can’t fathom the thought of sitting at a console for 8+ hours, pecking away at source code, trying to hammer out a solution. I tell you what, it’s a better alternative than driving yourself crazy with the thought of the cyber-boogieman getting access and lurking through your network, stealing your company’s intellectual property and making off with it, only to blame you for your negligence.
I have techno-lust. I love computers, programming, security, games, operating systems and just cool shit that can be done with software. It’s what I’m good at, and the more I hone my programming abilities, the more I want to pursue software engineering than security. Security – more specifically Business Security -- has absolutely nothing to do with technology. It’s about policy, control and people. If you want to work on security systems and really do cool security work, you either work for a SOC (eh), or go to graduate school for computer security research. Do not be fooled by the promise of exciting work and catching digital bad-guys. It’s hardly the reality of the security industry.
In conclusion, computer science/software engineering is the way to go in my humble opinion if you’re like me. If you’re creative, inventive and logical, try some programming, you might enjoy it and find your calling. To me it’s a philosophical thing. I’m an idealist and I find absolute euphoria in creating something that originated in the confines of my consciousness.
To those MBAs, or recent college grads that just want a good, decent paying job right out of college, go get your CISSP and put your resume out there. You’re the one’s the businesses need. You’re the ones who don’t code, who aren't technical and wouldn't be caught writing a script if they had a gun to their head. Businesses need you and your CISSPy attitudes. Businesses need those shmucks to talk it up in meetings and explain risk ratings to security naive executives.
For those hackers out there that want to make money doing what they love, DO NOT pursue a position in security (business security). You will be absolutely miserable, forced to perform tasks that are mind-numbingly boring compared to what you want to do. Get out there and go get that coveted C-EH, OSCP, GPEN, etc., and then go find a security consulting company that can take you under their wing and teach you the ropes. Stay away from the businesses. They think they need you, but they don’t.