In a time when the computer security industry is over a million people short of full employment, we need to be encouraging everyone who is interested in protecting our data to get into the game. You could argue that the best way to do this is to make the job sound like it’s super cool; that it’s all about moving fast, breaking stuff, and going to wild parties. But in the end, this tactic may be a self-defeating one.
When I think about the possibility of being a rock star, one of the defining features is the rarity of success. There wouldn’t be shows like American Idol or The Voice if everyone who put a serious effort into being a rock star became one!
Long Odds vs. Steady Gig
Out of all the children learning to play guitar right now, how many will be a household name some day? If they keep at it until adulthood, the odds of them eventually becoming well known as a musician are probably somewhat greater than that of being killed by a crocodile, but less than the odds of being killed by a venomous spider. Out of all the kids learning to code right now, the odds of them earning a living in technology are probably quite close to 100% if they keep at it until adulthood.
Security people are not and should never be a rarity, and not all are extroverts who even want to be shining stars. It seems to me that a better-than-average number of people who have a career in security are somewhat introverted; those who favor a cozy cube outnumber those who seek the spotlight. Infosec jobs offer very good odds of finding a solid, and fairly stable career path that pays a living wage for you to learn for a living.
Humble vs. Inflated Ego
Most people who work in this industry for long enough will have the unfortunate experience of working with someone who chose this career with the hope of being a shining star within the halls of padded, grey cubicles. Pejoratively, this person is usually called a "cowboy" (or at least that’s the G-rated version). And where you find cowboys, you’ll usually find other people who end up with the unfortunate task of cleaning up after them.
The cowboy may get stuff done – and quickly – by shooting first and asking questions later, but it’s usually by running roughshod over established protocols and procedures. While this habit may win them approval from higher-ups within the organizational food chain, working alongside them is usually described as painful, at best.
In practice, effective security people tend to be the ones who are able to build consensus with other groups, as well as with the people who are in charge of assigning budgets. They don’t seek glory and ego-inflation as much as they seek to help other people do their jobs effectively, in a secure way.
Breaking Stuff vs. Fixing Stuff
There are people in security circles who are famous (or perhaps "infamous" is a more apt term) for breaking other people’s products. While attention-grabbing stunt hacks may be a necessary evil in some cases, most of what we have a dearth of is defenders who can help fix security problems. Strategically correcting errors made by other people is decidedly less sexy than smashing things, but provides more security in the long run by helping people make safer choices. And helping others brings its own kind of satisfaction.
I’m sure we can all think of a job title or two where the pay is low, the hours are long, and the conditions are challenging, yet there is a crowd of skilled people in line for every vacant position. Most, if not all, of those jobs are ones in which people are able to make a positive difference in the lives of others. Security is also an industry where we can use our skills to affect others positively. It’s not just about breaking things for fun and profit, or about free booze and partying, though it can certainly include those items. A career in security can also be a stable and rewarding pursuit; financially, intellectually and emotionally.
[Get tips from short-handed CISOs on how to attract, cultivate and retain talented cybersecurity staff when there are so few to go around - at Interop ITX, May 15-19, at the MGM Grand in Las Vegas.]
- How Security Pros Can Bridge The Skills Shortage
- Cybersecurity User Training That Sticks: 3 Steps
- Small Changes Can Make A Big Difference In Tech Diversity