Why Information Security is the Hardest Career
November 10, 2009
I was talking to my friend Ian the other day and he mentioned that he was posting about our careers and what we do. I pointed that I have been ranting on the topic of why our career is the most difficult for the past couple of years – anybody who saw Lee and I speak at Defcon, Source or RSA in the past couple of years heard my rationale.
Security is an interesting discipline – the threat landscape is always changing and we’re forced to keep up constantly. The simple reason behind that change is that security is ultimately a quality issue. What’s interesting about quality is that issues in product quality are heavily front-loaded – as a product matures, the number of newly discovered quality issues decreases. Thus, the security issues are almost always within the newest technologies.
This forces security professionals to be always conversant on the newest technologies. Imagine for a second that we had a time machine, and we brought three IT professionals from 1997 to the present: a Unix system administrator, a C programmer, and a security engineer.
The Unix system administrator’s knowledge of SunOS 2.6 would allow them to be functionally conversant on a modern *nix system. They’d have a few things to learn, but most of their fundamental knowledge (e.g. run levels, cron, syslog) would be useful today.
The C++ programmer would still be able to hack on code. Sure, there have been changes to the STL over that time and there are some new constructs. They might have to learn pair programming and agile methods. But their coding skills would be the same.
The security engineer would be…. well, lost. Functionally incompetent. They could expound on Smurf and Land attacks and ensuring that there were as few SUID binaries on your box as possible. But they couldn’t even use the basic technologies… Firewalls weren’t stateful. IDS was barely nascent. There was no such thing as spyware. SIEM, DLP, and anti-spyware would have been terms that made no sense. No wireless networks. Not to mention that “cloud” and “social network” would have garnered confused looks.
Five years from today, the Unix admin and the coder will still be conversant. And my examples that I used talking about the security professional will seem quaint and antiquated.
This is because the challenges for the security professional are always in the brand new technology – we don’t deal with issues in the IP stack because we handled them in 1997. And we moved on because the attackers found more fertile ground in the new technologies. And we will move on again – in five years, web app security will be old hat, as will “the cloud”. (“Remember when we were all worried about issues on Facebook and Google Apps?“, we’ll remenisce at Defcon 22…)
This makes it extremely difficult to create a long-term career in infosec – the moment you stop being conversant in the newest technologies is the moment that you’re functionally obsolete. So, we have to be willing to make a long-term commitment to our own growth and investment. We have to study. And we have to continue to grow every day lest we be left behind.