Career Advice Tuesday – The Rant Edition

March 1, 2011

Anybody who knows me knows that I tend to get ranty on occasion. I got a question lately that made me more than a little bit that way.

Before I post the question, a brief thought about the industry that anybody who has heard me talk about information security careers has heard before. I believe that information security has one of the single hardest career paths in the entire world. Not that it’s a difficult job – compared to any episode of Dirty Jobs, it’s a cake-walk.

But making a career in infosec is hard because we have to work a lot harder to keep up in our field than most. The reason is simple: security issues aren’t in the oldest technology. Once a technology has been around for a few years, the security issues get worked out and we move on.

As an example, think back to 2003: everyone was freaking out about wireless security issues. WEP was a mess, everyone was deploying wireless insecurely, and security people were talking about how “wireless security” and “wireless penetration testing” were the hot skills.

When was the last time you thought: “Man, I really should get a job as a wireless penetration tester.  That’s where all the good jobs are these days.“?

This is the case for almost every part of security – while it’s important now, in 10 years the Cloud Security Alliance is likely to look awfully anachronistic.

The problem with security as a career is that you have to CONSTANTLY learn new things. Our job (for anybody who wants to be relevant 10 years from now) is one of continual effort to keep up with the latest/newest technologies. And, because of that, it’s rarely going to be a traditional 40 hour/week job.

So… the question I got late last week from someone who is 3 years out of school:

I’m not interested in a job where it is essentially expected that one works for longer than the standard 40/week. I also want to be able to use whatever vacation time I earn without being guilt-tripped by the office culture.

In my interview process, could you suggest a good way to determine which jobs are going to be expecting long work-week commitments? And would you be able to recommend a tactful way of bringing up how much I value my personal time during an interview?

Here’s the thing: I’m all for work/life balance. But neither Lee nor I believe that it’s possible to succeed long-term in our industry with that mind-set, especially early in your career. It’s one thing to have built a broad and deep skill-set and decide to take a job for quality of life reasons – it’s another to attempt to build that broad and deep skill-set in a rapidly changing industry while attempting to maximize the amount of vacation you take (unless, like many of us, your ideal vacations include a bus ride with a man with a beard or a trip to a conference that happens beside other conferences).

There are LOTS of industries where this isn’t the case. I was a *nix admin more than a decade ago, and I could still be a passable one today even having not touched a CLI (other than on my macbook when I want to use grep or find) since.

Someone who was a security person in 1999 who hadn’t touched security (other than configuring their home router) for 10 years? They couldn’t talk about wireless security, web-app security, social media/cloud security, DLP, GRC, etc.

But they could probably tell you all about the benefits of stateful inspection and run Cybercop Scanner. If you don’t know what I’m talking about, I think I just made my point… And if you laughed, I definitely did.

Posted by mmurray | Filed Under Career Advice Tuesday, Security Industry 


Comments are closed.