Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Careers & People

4/13/2017
10:30 AM
Lysa Myers
Lysa Myers
Commentary
Connect Directly
Facebook
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

So You Want to Be a Security Rock Star?

While the thrill of crafting attention-grabbing stunt hacks may seem like the coolest job on earth, what our industry needs more of are strong defenders who can fix things as well as break them.

In a time when the computer security industry is over a million people short of full employment, we need to be encouraging everyone who is interested in protecting our data to get into the game. You could argue that the best way to do this is to make the job sound like it’s super cool; that it’s all about moving fast, breaking stuff, and going to wild parties. But in the end, this tactic may be a self-defeating one.

When I think about the possibility of being a rock star, one of the defining features is the rarity of success. There wouldn’t be shows like American Idol or The Voice if everyone who put a serious effort into being a rock star became one!

Long Odds vs. Steady Gig
Out of all the children learning to play guitar right now, how many will be a household name some day? If they keep at it until adulthood, the odds of them eventually becoming well known as a musician are probably
somewhat greater than that of being killed by a crocodile, but less than the odds of being killed by a venomous spider. Out of all the kids learning to code right now, the odds of them earning a living in technology are probably quite close to 100% if they keep at it until adulthood.

Security people are not and should never be a rarity, and not all are extroverts who even want to be shining stars. It seems to me that a better-than-average number of people who have a career in security are somewhat introverted; those who favor a cozy cube outnumber those who seek the spotlight. Infosec jobs offer very good odds of finding a solid, and fairly stable career path that pays a living wage for you to learn for a living.

Humble vs. Inflated Ego
Most people who work in this industry for long enough will have the unfortunate experience of working with someone who chose this career with the hope of being a shining star within the halls of padded, grey cubicles. Pejoratively, this person is usually called a "cowboy" (or at least that’s the G-rated version). And where you find cowboys, you’ll usually find other people who end up with the unfortunate task of cleaning up after them.

The cowboy may get stuff done – and quickly – by shooting first and asking questions later, but it’s usually by running roughshod over established protocols and procedures. While this habit may win them approval from higher-ups within the organizational food chain, working alongside them is usually described as painful, at best.

In practice, effective security people tend to be the ones who are able to build consensus with other groups, as well as with the people who are in charge of assigning budgets. They don’t seek glory and ego-inflation as much as they seek to help other people do their jobs effectively, in a secure way.

Breaking Stuff vs. Fixing Stuff
There are people in security circles who are famous (or perhaps "infamous" is a more apt term) for breaking other people’s products. While attention-grabbing stunt hacks may be a necessary evil in some cases, most of what we have a dearth of is defenders who can help fix security problems. Strategically correcting errors made by other people is decidedly less sexy than smashing things, but provides more security in the long run by helping people make safer choices. And helping others brings its own kind of satisfaction.

I’m sure we can all think of a job title or two where the pay is low, the hours are long, and the conditions are challenging, yet there is a crowd of skilled people in line for every vacant position. Most, if not all, of those jobs are ones in which people are able to make a positive difference in the lives of others. Security is also an industry where we can use our skills to affect others positively. It’s not just about breaking things for fun and profit, or about free booze and partying, though it can certainly include those items. A career in security can also be a stable and rewarding pursuit; financially, intellectually and emotionally.

[Get tips from short-handed CISOs on how to attract, cultivate and retain talented cybersecurity staff when there are so few to go around - at Interop ITX, May 15-19, at the MGM Grand in Las Vegas.] 

Related Content:

 

Lysa Myers began her tenure in malware research labs in the weeks before the Melissa virus outbreak in 1999. She has watched both the malware landscape and the security technologies used to prevent threats from growing and changing dramatically. Because keeping up with all ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Ryanology
50%
50%
Ryanology,
User Rank: Apprentice
4/27/2017 | 2:50:14 PM
Re: Oh those cowboys...
You nailed it - being able to fix things and solve problems, and be of genuine service, are the hallmarks of a great T.T. security person. Cowboys dont last long - Ive worked with a few and they tend to fade away or get fired eventually. Check your ego at the door and do good work, and I think the I.T. industry will treat you right.
toussa
100%
0%
toussa,
User Rank: Apprentice
4/25/2017 | 4:01:48 AM
Re: The best career I could have chosen
Clearly. It is essential to make the craft more fun. If you have fun while ensuring safety, then the most passionate guys will come.
romulonfreitas
100%
0%
romulonfreitas,
User Rank: Apprentice
4/18/2017 | 9:49:33 PM
The best career I could have chosen
I found your article to be so realistic and I could only agree with you on every point mentioned in it. I am a senior threat analyst and, the challenges we face every day, we certainly cannot put a price on them. Of course, a decent salary, the fact that we have a certain stability in our jobs, everything counts, however the thrill of being in touch with so many different vulnerabilities and threats, that is priceless. Thank you for such an amazing article!
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/25/2020
Google Cloud Debuts Threat-Detection Service
Robert Lemos, Contributing Writer,  9/23/2020
Shopify's Employee Data Theft Underscores Risk of Rogue Insiders
Kelly Sheridan, Staff Editor, Dark Reading,  9/23/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-26120
PUBLISHED: 2020-09-27
XSS exists in the MobileFrontend extension for MediaWiki before 1.34.4 because section.line is mishandled during regex section line replacement from PageGateway. Using crafted HTML, an attacker can elicit an XSS attack via jQuery's parseHTML method, which can cause image callbacks to fire even witho...
CVE-2020-26121
PUBLISHED: 2020-09-27
An issue was discovered in the FileImporter extension for MediaWiki before 1.34.4. An attacker can import a file even when the target page is protected against "page creation" and the attacker should not be able to create it. This occurs because of a mishandled distinction between an uploa...
CVE-2020-25812
PUBLISHED: 2020-09-27
An issue was discovered in MediaWiki 1.34.x before 1.34.4. On Special:Contributions, the NS filter uses unescaped messages as keys in the option key for an HTMLForm specifier. This is vulnerable to a mild XSS if one of those messages is changed to include raw HTML.
CVE-2020-25813
PUBLISHED: 2020-09-27
In MediaWiki before 1.31.10 and 1.32.x through 1.34.x before 1.34.4, Special:UserRights exposes the existence of hidden users.
CVE-2020-25814
PUBLISHED: 2020-09-27
In MediaWiki before 1.31.10 and 1.32.x through 1.34.x before 1.34.4, XSS related to jQuery can occur. The attacker creates a message with [javascript:payload xss] and turns it into a jQuery object with mw.message().parse(). The expected result is that the jQuery object does not contain an <a> ...