Why Information Security is the Hardest Career

November 10, 2009

I was talking to my friend Ian the other day and he mentioned that he was posting about our careers and what we do. I pointed that I have been ranting on the topic of why our career is the most difficult for the past couple of years – anybody who saw Lee and I speak at Defcon, Source or RSA in the past couple of years heard my rationale.

Security is an interesting discipline – the threat landscape is always changing and we’re forced to keep up constantly. The simple reason behind that change is that security is ultimately a quality issue. What’s interesting about quality is that issues in product quality are heavily front-loaded – as a product matures, the number of newly discovered quality issues decreases. Thus, the security issues are almost always within the newest technologies.

This forces security professionals to be always conversant on the newest technologies. Imagine for a second that we had a time machine, and we brought three IT professionals from 1997 to the present: a Unix system administrator, a C programmer, and a security engineer.

The Unix system administrator’s knowledge of SunOS 2.6 would allow them to be functionally conversant on a modern *nix system. They’d have a few things to learn, but most of their fundamental knowledge (e.g. run levels, cron, syslog) would be useful today.

The C++ programmer would still be able to hack on code. Sure, there have been changes to the STL over that time and there are some new constructs. They might have to learn pair programming and agile methods. But their coding skills would be the same.

The security engineer would be…. well, lost. Functionally incompetent. They could expound on Smurf and Land attacks and ensuring that there were as few SUID binaries on your box as possible. But they couldn’t even use the basic technologies… Firewalls weren’t stateful. IDS was barely nascent. There was no such thing as spyware. SIEM, DLP, and anti-spyware would have been terms that made no sense. No wireless networks. Not to mention that “cloud” and “social network” would have garnered confused looks.

Five years from today, the Unix admin and the coder will still be conversant. And my examples that I used talking about the security professional will seem quaint and antiquated.

This is because the challenges for the security professional are always in the brand new technology – we don’t deal with issues in the IP stack because we handled them in 1997. And we moved on because the attackers found more fertile ground in the new technologies. And we will move on again – in five years, web app security will be old hat, as will “the cloud”. (“Remember when we were all worried about issues on Facebook and Google Apps?“, we’ll remenisce at Defcon 22…)

This makes it extremely difficult to create a long-term career in infosec – the moment you stop being conversant in the newest technologies is the moment that you’re functionally obsolete. So, we have to be willing to make a long-term commitment to our own growth and investment. We have to study. And we have to continue to grow every day lest we be left behind.

Posted by mmurray | Filed Under Planning, Security Industry 


2 Responses to “Why Information Security is the Hardest Career”

  1. Interesting Information Security Bits for 11/12/2009 | Infosec Ramblings on November 12th, 2009 3:20 pm

    [...] Why Information Security is the Hardest Career | Information Security Leaders Tags: ( career ) [...]

  2. Specialists, Generalists, Incompetence, and Cognitive Bias « Bad Penny on January 24th, 2010 10:48 am

    [...] Certainly being a well rounded and traveled individual may help in finding this kind of clarity. This may also be something largely gained from journeyman tradecraft; seeing other methods and masters firsthand. This may be why people talk about risk management as being on par with a JD or MD; it takes a lot of time, passion, and diligence to become and stay competent and aware and literate of the many challenges present in diverse environments and constantly moving technology. The responsibility in the design, management and assessment of complicated systems is also large. Persistent errors here can literally cost lives, crash fortunes, and wreck business models. It may be one of the hardest careers. [...]