Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Careers & People

4/13/2017
10:30 AM
Lysa Myers
Lysa Myers
Commentary
Connect Directly
Facebook
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

So You Want to Be a Security Rock Star?

While the thrill of crafting attention-grabbing stunt hacks may seem like the coolest job on earth, what our industry needs more of are strong defenders who can fix things as well as break them.

In a time when the computer security industry is over a million people short of full employment, we need to be encouraging everyone who is interested in protecting our data to get into the game. You could argue that the best way to do this is to make the job sound like it’s super cool; that it’s all about moving fast, breaking stuff, and going to wild parties. But in the end, this tactic may be a self-defeating one.

Image Source: Christian Bertrand via Shutterstock
Image Source: Christian Bertrand via Shutterstock

When I think about the possibility of being a rock star, one of the defining features is the rarity of success. There wouldn’t be shows like American Idol or The Voice if everyone who put a serious effort into being a rock star became one!

Long Odds vs. Steady Gig
Out of all the children learning to play guitar right now, how many will be a household name some day? If they keep at it until adulthood, the odds of them eventually becoming well known as a musician are probably somewhat greater than that of being killed by a crocodile, but less than the odds of being killed by a venomous spider. Out of all the kids learning to code right now, the odds of them earning a living in technology are probably quite close to 100% if they keep at it until adulthood.

Security people are not and should never be a rarity, and not all are extroverts who even want to be shining stars. It seems to me that a better-than-average number of people who have a career in security are somewhat introverted; those who favor a cozy cube outnumber those who seek the spotlight. Infosec jobs offer very good odds of finding a solid, and fairly stable career path that pays a living wage for you to learn for a living.

Humble vs. Inflated Ego
Most people who work in this industry for long enough will have the unfortunate experience of working with someone who chose this career with the hope of being a shining star within the halls of padded, grey cubicles. Pejoratively, this person is usually called a "cowboy" (or at least that’s the G-rated version). And where you find cowboys, you’ll usually find other people who end up with the unfortunate task of cleaning up after them.

The cowboy may get stuff done – and quickly – by shooting first and asking questions later, but it’s usually by running roughshod over established protocols and procedures. While this habit may win them approval from higher-ups within the organizational food chain, working alongside them is usually described as painful, at best.

In practice, effective security people tend to be the ones who are able to build consensus with other groups, as well as with the people who are in charge of assigning budgets. They don’t seek glory and ego-inflation as much as they seek to help other people do their jobs effectively, in a secure way.

Breaking Stuff vs. Fixing Stuff
There are people in security circles who are famous (or perhaps "infamous" is a more apt term) for breaking other people’s products. While attention-grabbing stunt hacks may be a necessary evil in some cases, most of what we have a dearth of is defenders who can help fix security problems. Strategically correcting errors made by other people is decidedly less sexy than smashing things, but provides more security in the long run by helping people make safer choices. And helping others brings its own kind of satisfaction.

I’m sure we can all think of a job title or two where the pay is low, the hours are long, and the conditions are challenging, yet there is a crowd of skilled people in line for every vacant position. Most, if not all, of those jobs are ones in which people are able to make a positive difference in the lives of others. Security is also an industry where we can use our skills to affect others positively. It’s not just about breaking things for fun and profit, or about free booze and partying, though it can certainly include those items. A career in security can also be a stable and rewarding pursuit; financially, intellectually and emotionally.

[Get tips from short-handed CISOs on how to attract, cultivate and retain talented cybersecurity staff when there are so few to go around - at Interop ITX, May 15-19, at the MGM Grand in Las Vegas.] 

Related Content:

 

Lysa Myers began her tenure in malware research labs in the weeks before the Melissa virus outbreak in 1999. She has watched both the malware landscape and the security technologies used to prevent threats from growing and changing dramatically. Because keeping up with all ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Ryanology
50%
50%
Ryanology,
User Rank: Apprentice
4/27/2017 | 2:50:14 PM
Re: Oh those cowboys...
You nailed it - being able to fix things and solve problems, and be of genuine service, are the hallmarks of a great T.T. security person. Cowboys dont last long - Ive worked with a few and they tend to fade away or get fired eventually. Check your ego at the door and do good work, and I think the I.T. industry will treat you right.
toussa
100%
0%
toussa,
User Rank: Apprentice
4/25/2017 | 4:01:48 AM
Re: The best career I could have chosen
Clearly. It is essential to make the craft more fun. If you have fun while ensuring safety, then the most passionate guys will come.
romulonfreitas
100%
0%
romulonfreitas,
User Rank: Apprentice
4/18/2017 | 9:49:33 PM
The best career I could have chosen
I found your article to be so realistic and I could only agree with you on every point mentioned in it. I am a senior threat analyst and, the challenges we face every day, we certainly cannot put a price on them. Of course, a decent salary, the fact that we have a certain stability in our jobs, everything counts, however the thrill of being in touch with so many different vulnerabilities and threats, that is priceless. Thank you for such an amazing article!
Sodinokibi Ransomware: Where Attackers' Money Goes
Kelly Sheridan, Staff Editor, Dark Reading,  10/15/2019
Data Privacy Protections for the Most Vulnerable -- Children
Dimitri Sirota, Founder & CEO of BigID,  10/17/2019
7 SMB Security Tips That Will Keep Your Company Safe
Steve Zurier, Contributing Writer,  10/11/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: The old using of sock puppets for Shoulder Surfing technique. 
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
2019 Online Malware and Threats
2019 Online Malware and Threats
As cyberattacks become more frequent and more sophisticated, enterprise security teams are under unprecedented pressure to respond. Is your organization ready?
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-8216
PUBLISHED: 2019-10-17
Adobe Acrobat and Reader versions , 2019.012.20040 and earlier, 2017.011.30148 and earlier, 2017.011.30148 and earlier, 2015.006.30503 and earlier, and 2015.006.30503 and earlier have an out-of-bounds read vulnerability. Successful exploitation could lead to information disclosure .
CVE-2019-8217
PUBLISHED: 2019-10-17
Adobe Acrobat and Reader versions , 2019.012.20040 and earlier, 2017.011.30148 and earlier, 2017.011.30148 and earlier, 2015.006.30503 and earlier, and 2015.006.30503 and earlier have an use after free vulnerability. Successful exploitation could lead to arbitrary code execution .
CVE-2019-8218
PUBLISHED: 2019-10-17
Adobe Acrobat and Reader versions , 2019.012.20040 and earlier, 2017.011.30148 and earlier, 2017.011.30148 and earlier, 2015.006.30503 and earlier, and 2015.006.30503 and earlier have an out-of-bounds read vulnerability. Successful exploitation could lead to information disclosure .
CVE-2019-8219
PUBLISHED: 2019-10-17
Adobe Acrobat and Reader versions , 2019.012.20040 and earlier, 2017.011.30148 and earlier, 2017.011.30148 and earlier, 2015.006.30503 and earlier, and 2015.006.30503 and earlier have an use after free vulnerability. Successful exploitation could lead to arbitrary code execution .
CVE-2019-8220
PUBLISHED: 2019-10-17
Adobe Acrobat and Reader versions, 2019.012.20040 and earlier, 2017.011.30148 and earlier, 2017.011.30148 and earlier, 2015.006.30503 and earlier, and 2015.006.30503 and earlier have an use after free vulnerability. Successful exploitation could lead to arbitrary code execution .