Careers & People
4/13/2017
10:30 AM
Lysa Myers
Lysa Myers
Commentary
Connect Directly
Facebook
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

So You Want to Be a Security Rock Star?

While the thrill of crafting attention-grabbing stunt hacks may seem like the coolest job on earth, what our industry needs more of are strong defenders who can fix things as well as break them.

In a time when the computer security industry is over a million people short of full employment, we need to be encouraging everyone who is interested in protecting our data to get into the game. You could argue that the best way to do this is to make the job sound like it’s super cool; that it’s all about moving fast, breaking stuff, and going to wild parties. But in the end, this tactic may be a self-defeating one.

Image Source: Christian Bertrand via Shutterstock
Image Source: Christian Bertrand via Shutterstock

When I think about the possibility of being a rock star, one of the defining features is the rarity of success. There wouldn’t be shows like American Idol or The Voice if everyone who put a serious effort into being a rock star became one!

Long Odds vs. Steady Gig
Out of all the children learning to play guitar right now, how many will be a household name some day? If they keep at it until adulthood, the odds of them eventually becoming well known as a musician are probably somewhat greater than that of being killed by a crocodile, but less than the odds of being killed by a venomous spider. Out of all the kids learning to code right now, the odds of them earning a living in technology are probably quite close to 100% if they keep at it until adulthood.

Security people are not and should never be a rarity, and not all are extroverts who even want to be shining stars. It seems to me that a better-than-average number of people who have a career in security are somewhat introverted; those who favor a cozy cube outnumber those who seek the spotlight. Infosec jobs offer very good odds of finding a solid, and fairly stable career path that pays a living wage for you to learn for a living.

Humble vs. Inflated Ego
Most people who work in this industry for long enough will have the unfortunate experience of working with someone who chose this career with the hope of being a shining star within the halls of padded, grey cubicles. Pejoratively, this person is usually called a "cowboy" (or at least that’s the G-rated version). And where you find cowboys, you’ll usually find other people who end up with the unfortunate task of cleaning up after them.

The cowboy may get stuff done – and quickly – by shooting first and asking questions later, but it’s usually by running roughshod over established protocols and procedures. While this habit may win them approval from higher-ups within the organizational food chain, working alongside them is usually described as painful, at best.

In practice, effective security people tend to be the ones who are able to build consensus with other groups, as well as with the people who are in charge of assigning budgets. They don’t seek glory and ego-inflation as much as they seek to help other people do their jobs effectively, in a secure way.

Breaking Stuff vs. Fixing Stuff
There are people in security circles who are famous (or perhaps "infamous" is a more apt term) for breaking other people’s products. While attention-grabbing stunt hacks may be a necessary evil in some cases, most of what we have a dearth of is defenders who can help fix security problems. Strategically correcting errors made by other people is decidedly less sexy than smashing things, but provides more security in the long run by helping people make safer choices. And helping others brings its own kind of satisfaction.

I’m sure we can all think of a job title or two where the pay is low, the hours are long, and the conditions are challenging, yet there is a crowd of skilled people in line for every vacant position. Most, if not all, of those jobs are ones in which people are able to make a positive difference in the lives of others. Security is also an industry where we can use our skills to affect others positively. It’s not just about breaking things for fun and profit, or about free booze and partying, though it can certainly include those items. A career in security can also be a stable and rewarding pursuit; financially, intellectually and emotionally.

[Get tips from short-handed CISOs on how to attract, cultivate and retain talented cybersecurity staff when there are so few to go around - at Interop ITX, May 15-19, at the MGM Grand in Las Vegas.] 

Related Content:

 

Lysa Myers began her tenure in malware research labs in the weeks before the Melissa virus outbreak in 1999. She has watched both the malware landscape and the security technologies used to prevent threats from growing and changing dramatically. Because keeping up with all ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Ryanology
50%
50%
Ryanology,
User Rank: Apprentice
4/27/2017 | 2:50:14 PM
Re: Oh those cowboys...
You nailed it - being able to fix things and solve problems, and be of genuine service, are the hallmarks of a great T.T. security person. Cowboys dont last long - Ive worked with a few and they tend to fade away or get fired eventually. Check your ego at the door and do good work, and I think the I.T. industry will treat you right.
toussa
100%
0%
toussa,
User Rank: Apprentice
4/25/2017 | 4:01:48 AM
Re: The best career I could have chosen
Clearly. It is essential to make the craft more fun. If you have fun while ensuring safety, then the most passionate guys will come.
romulonfreitas
100%
0%
romulonfreitas,
User Rank: Apprentice
4/18/2017 | 9:49:33 PM
The best career I could have chosen
I found your article to be so realistic and I could only agree with you on every point mentioned in it. I am a senior threat analyst and, the challenges we face every day, we certainly cannot put a price on them. Of course, a decent salary, the fact that we have a certain stability in our jobs, everything counts, however the thrill of being in touch with so many different vulnerabilities and threats, that is priceless. Thank you for such an amazing article!
Register for Dark Reading Newsletters
Dark Reading Live EVENTS
INsecurity - For the Defenders of Enterprise Security
A Dark Reading Conference
While red team conferences focus primarily on new vulnerabilities and security researchers, INsecurity puts security execution, protection, and operations center stage. The primary speakers will be CISOs and leaders in security defense; the blue team will be the focus.
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: No, you were supposed to display UNICODE characters!
Current Issue
Security Vulnerabilities: The Next Wave
Just when you thought it was safe, researchers have unveiled a new round of IT security flaws. Is your enterprise ready?
Flash Poll
[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem
[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem
Enterprises are spending more of their IT budgets on cybersecurity technology. How do your organization's security plans and strategies compare to what others are doing? Here's an in-depth look.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.