Why Information Security is the Hardest Career
November 10, 2009
I was talking to my friend Ian the other day and he mentioned that he was posting about our careers and what we do. I pointed that I have been ranting on the topic of why our career is the most difficult for the past couple of years – anybody who saw Lee and I speak at Defcon, Source or RSA in the past couple of years heard my rationale.
Security is an interesting discipline – the threat landscape is always changing and we’re forced to keep up constantly. The simple reason behind that change is that security is ultimately a quality issue. What’s interesting about quality is that issues in product quality are heavily front-loaded – as a product matures, the number of newly discovered quality issues decreases. Thus, the security issues are almost always within the newest technologies.
This forces security professionals to be always conversant on the newest technologies. Imagine for a second that we had a time machine, and we brought three IT professionals from 1997 to the present: a Unix system administrator, a C programmer, and a security engineer.
The Unix system administrator’s knowledge of SunOS 2.6 would allow them to be functionally conversant on a modern *nix system. They’d have a few things to learn, but most of their fundamental knowledge (e.g. run levels, cron, syslog) would be useful today.
The C++ programmer would still be able to hack on code. Sure, there have been changes to the STL over that time and there are some new constructs. They might have to learn pair programming and agile methods. But their coding skills would be the same.
The security engineer would be…. well, lost. Functionally incompetent. They could expound on Smurf and Land attacks and ensuring that there were as few SUID binaries on your box as possible. But they couldn’t even use the basic technologies… Firewalls weren’t stateful. IDS was barely nascent. There was no such thing as spyware. SIEM, DLP, and anti-spyware would have been terms that made no sense. No wireless networks. Not to mention that “cloud” and “social network” would have garnered confused looks.
Five years from today, the Unix admin and the coder will still be conversant. And my examples that I used talking about the security professional will seem quaint and antiquated.
This is because the challenges for the security professional are always in the brand new technology – we don’t deal with issues in the IP stack because we handled them in 1997. And we moved on because the attackers found more fertile ground in the new technologies. And we will move on again – in five years, web app security will be old hat, as will “the cloud”. (“Remember when we were all worried about issues on Facebook and Google Apps?“, we’ll remenisce at Defcon 22…)
This makes it extremely difficult to create a long-term career in infosec – the moment you stop being conversant in the newest technologies is the moment that you’re functionally obsolete. So, we have to be willing to make a long-term commitment to our own growth and investment. We have to study. And we have to continue to grow every day lest we be left behind.
![[del.icio.us]](http://images.del.icio.us/static/img/delicious.small.gif){kind=small}
Effective Information Security Career Planning at DefCon
July 29, 2009
We are excited about our upcoming 3 hour presentation/training class at DefCon on Thursday, July 30th at 1:00PM. We are thrilled to have been invited back to the DefCon stage and are always energized by the audience. This is the first time that we have been provided the opportunity to deliver this specific content in this type of format.
The presentation represents an interactive approach to assisting Information Security professionals in the planning, management, and the development of their careers. We have designed specific career planning exercises that will enable the attendees to leave the session with better guidelines for the creation and execution of their personal career plans.
As always, we will make ourselves available for individual career related questions following our presentation.
If you are attending Black Hat or Def Con, you will be able to access the session. We look forward to seeing you.
Lee and Mike
Job Satisfaction in Security
July 24, 2009
Lee and I had a great chat with Kelly from Dark Reading yesterday about the results of the survey that we released at last year’s Defcon talk. Kelly put up a great story about one of the results, called One In Two Security Pros Unhappy In Their Jobs. From the article:
“Kushner and Murray say they were surprised by security’s high number of unhappy campers — 52 percent of the around 900 security pros who participated in the survey are less than satisfied with their current jobs. Only 27 percent said they are are satisfied, and about 21 percent said they are more than content, according to the survey. “People in security are generally passionate about what they do,” Murray says. “You’d think in a progressive industry that [it wouldn't be the case] that one out of two are not happy…that shocked me.”
Shocked doesn’t begin to cut how I felt about this result:
These numbers show that an overwhelming majority of the people who are reading this blog are less than totally jazzed and excited about what they’re doing on a daily basis. In fact, only 6.2% of you are “extremely satisfied” (and removing the entrepreneurs from the survey, that number drops a full point to 5.2%).
The first question I ask people when I’m coaching them or working with them on their career is simple: “what do you want to do?“. Because I really believe that if you’re going to spend more than 1/3 of your hours every week doing something, I can’t believe that you’d want to be one of the more than 50% who are less than satisfied.
Not to mention that I’ve always been a believer in the idea of “do what you love and the money will follow”. The survey definitely backs that up – of the 6.2% who are “extremely satisfied” with their position, a whopping 56% of them have an annual salary greater than $120K. Only 26% of those in the survey as a whole are making that much. (Note: the cynical of you may suggest that they’re satisfied because they’re so well compensated, but studies have repeatedly found that money isn’t a good long-term predictor of job satisfaction).
Career Advice Tuesday- When The Economy Negatively Impacts Your “Good Job”
July 21, 2009
Dear Lee and Mike:
The ongoing hardships caused by this lovely economy have now really
started to impact our company culture. Things are now quite strained.
We’re not getting any raises, no empty positions are being filled,
everyone’s doing extra work, training budget has been killed off. In
short, it’s getting fairly grim.
In spite of it all, I’d honestly like to stay at this job. I
strongly believe in our mission, and I’m friends with most of the
coworkers, but things are souring… what can I do to re-sweeten
things? Or am I simply holding onto past glories?
Signed, Conflicted
Dear Conflicted:
Let me start by saying that you are not alone. Many of your peers are experiencing some of the same things due to economic issues. The loss of corporate revenue has negatively impacted training budgets, technology advancements, raises, and bonuses across the board. Unfortunately, as professionals we have grown a bit accustomed to the perks attached to our position. When employers begin to tighten the purse strings are we are asked to share in the burden, it becomes a bit uncomfortable.
From what you have described it appears that you particularly have a couple of good things going for you:
1) Although you are currently experiencing some short term discomfort, it appears that your company has a track record in the past for “doing the right thing” by making solid investments in the Information Security program and the staff.
2) It also appears that some of the core values that relate to your situation remain intact. You believe in what the company is doing, you have solid peer relationships, and my guess is that you are well thought of, and your opinions are well respected. All of these things are positive.
My advice to you (and your peers) is to give your current employer the benefit of the doubt, in the near term, and utilize this as an opportunity to attempt to creatively solve your problems and build your personal brand.
Here are a couple of examples :
When a department is understaffed, and are not adding new personnel, there is usually an opportunity for work that is outside of your traditional comfort zone. Try to volunteer for some of this newer work, so that you can develop a new skill or perfect an existing one. If you can utilize this opportunity to build more skills, your future value and marketability will increase, whether you choose to remain at your current employer or move on.
Regarding training, I believe this is when you need to utilize your creativity to continue receiving training but at a lesser cost. This is the time that you can get together with your team and figure out some solutions and present them together to management. Remember, there is always strength in numbers, and you may achieve a greater impact if you address this with your manager in collective fashion.
Here are some suggestions that may provide a lower cost option to training:
1) Build an Info Sec Library – Ask your employer if they will reimburse the purchase of information security related books, that can be kept as a corporate reference guide.
2) Volume Discounts – Call up some of the traditional training programs and conferences and ask for volume discounts. These folks are in business too, and they may be flexible. They are facing some of the same economic issues.
3) Invite Guest Speakers – Many people in Information Security like to share their knowledge. Create a guest speaker program where you can bring in an external speaker (you may have to cover some travel expense and meal) once a month, to address a specific topic.
Unfortunately, I do not have any solutions for bonuses or raises. If money is the main motivator, you may be forced to begin looking for a new role.
In closing, I believe that you will benefit for exhibiting a little bit of patience with your current employer. However, if things do not change in three – six months, and you are still having the same feelings, you may have to begin looking elsewhere.
Hope this helps.
Lee and Mike
Will The CISO of the Future Be A Woman?
July 6, 2009
I attended the Gartner Conference on Monday and I sat in on a panel called “The CISO’s Skill Set.” The panel was headed by Ray Wagner of Gartner, and the panelists included David Foote (Foote Partners), Alan Paller (SANS), and Joyce Brocaglia (Alta Associates).
As the panel went on, the discussion headed in the direction of what skills would comprise the CISO of the future. Almost on cue, the panel unanimously agreed that the CISO needed to have a good blend of technology, business, and people skills. They also stated that the future CISO would be a great communicator, consensus builder, and a change agent.
In response to this, Ms, Brocaglia stated that the latter of these interpersonal qualities necessary to be successful for the role will most likely be found in women.
Whoa! That was heavy. This statement should have sent shockwaves through the audience, which was comprised of corporate information security leaders and was roughly 85% male. I could not possibly imagine devoting your career to a profession and then being told that by gender alone you are less than desirable.
Before I go on, I would like to provide a couple of disclosures:
1) I am male
2) Ms. Brocaglia’s company (Alta Associates) is a competitor of mine (LJ Kushner & Associates)
3) I have professional respect for Ms. Brocaglia and the Executive Women’s Forum (which I think is a great idea)
4) I often disagree with Ms. Brocaglia
Ms.Brocaglia’s statement (which she supported with a reference to a HR study) that females are most likely to be more effective communicators, change agents, and consensus builders, promotes a prejudice and a stereotype, that men (as a group) are less capable of possessing these attributes. The results of the HR survey may be accurate, and indeed women (as a group) may be more likely to excel in these areas better than men (as a group), but this should not have any effect on the recruitment of an effective CISO.
Companies do not hire groups, they hire individuals. Generalizations should have no bearing on and should never influence the decision making process, when it comes to selecting a qualified CISO. When a company is searching for a CISO, they will identify an individual who possesses relevant skills,has demonstrated professional excellence, and is capable of providing leadership to their information security program.
Collectively, it is my experience that the women who have chosen Information Security as a career are traditionally high achievers and many have gravitated towards positions of leadership. In many cases, they have had to overcome greater adversity and gender based prejudice to achieve similar professional success as their male counterparts.
The female information security leaders that I have encountered share common traits. They are all smart, business savvy, technical, personable, and driven to succeed. They are tough negotiators and have a great deal of conviction in their beliefs. Ironically, these are the same skills sets that male information security leaders possess.
In my opinion, skills that include consensus building, effective communication, and organizational transformation can be classified as softer skills. These are skills that are developed through experience, maturity, and conflict resolution, and are not inherent to gender.
I agree that the skills that Ms.Brocaglia mentioned are all skills that are necessary to be an effective CISO. However, these aforementioned skills are ones that need to be developed and cultivated, independent of gender.
In the past thirteen years, I have worked with many companies in their search of competent information security leadership. They all have one thing in common, they are looking for the best talent who can thrive within their environment and get the job done. I have never once heard a client mention the applicant’s gender as a qualification (nor do I ever think I will).
One of the items that I stress the most in any recruitment process is to keep an open mind to candidates with different backgrounds and unique experiences. I have had many instances where clients have hired Information Security leaders who did not come close to matching their initial “ideal” candidate profile. However, by getting to know these candidates through the interview process, they discovered that their experiences were quite relevant and would enable them to succeed in an information security leadership capacity. In all of those cases, the customer was happy that they discarded their initial prejudices and overlooked their preconceived notions.
The CISO of the future will be a special leader. They will be innovative, the will be highly skilled, and they will inspire others. They will be of different gender, race, religion, and ethnicity. They will have made strategic career investments that separate them from their peers. They will be hard workers. They will have high moral character. They will be competitors.
They will be the top 1% of our profession.
We all still have the chance to be that leader!
“All generalizations are false, including this one.” – Mark Twain
No InfoSec Talent for Open Positions? “Well,That Figures?”
June 11, 2009
I read a blog post by Meridith Levinson, on CSO Online, in response to the recent ISC2 survey which stated that 80% of hiring managers who are looking to fill IT security positions are having a hard time filling these openings. The report cited the following reasons for this situation – wrong skills, not enough qualified people in the local area, and security professionals are commanding too much money.
It appears that Meridith was quite frustrated wtith the results of the survey. She titled her post with the dreaded “WTF” which I know is not an abbreviation for “Well, That Figures.”
So, how could this be? Are the reasons valid? Can this be possible when so many talented information security professionals are looking for work?
If you are listening Meridith, I hope this helps to explain these findings and alleviate some of your fury:
1) There is a Big Difference Between Shopping and Buying.
Information Security Managers are short staff in general, and are always looking for talent to address the work load. However, looking for people, and actually being able to hire them are two entirely different actions. Corporations are dealing with many more -pressing business needs in this climate, and hiring full time employees (Information Security professionals or others) are down on their list. Currently, hiring decisions are being scrutinized at every organizational level and business function.
The desire to hire is not in doubt. The ability to hire definitely has some resistance.
2) Job Opening – Information Security Superhero
Employers are looking for Information Security Superheroes, when in many cases what they are able to afford is a one trick pony (especially one that can perform a really cool trick). Often employers receive permission to add a single headcount. When this happens, they often try to cram all of the possible skill sets that they are searching for into one singular position.
Throughout my time as a recruiter, I have seen many job descriptions that require skill matrices that rarely exist in the real world. Due to the rarity of the skill combos, the candidate is able to command a higher salary. This salary is often outside the compensation range that HR has allocated for the role.
Remember, just like in the comics, Superheroes do not ever have to look for work, work finds them.
3) Employers Are Not Searching Correctly
Information Security leaders are only part time recruiters and often cannot dedicate the necessary time to the talent acquisition process. They often rely on other resources to help locate the right candidates for their open positions. Due to the complex skills that these roles require, your recruiters need to be educated to properly filter candidates best suited for the roles. Many times, qualified candidates are overlooked for consideration during the early stages of the process. The more detailed the position, the more elaborate the search process needs to be. Whether employers are utilizing their shared internal recruitment resources or external search partners, this level of education is generally lacking.
4) The “Right” Candidates are Happy with their Current Position.
This would make sense. Many talented information security professionals are gainfully employed and well thought of by their current employer. In these economic conditions, many Information Security professionals are not keen on jeopardizing the “security”of their current role, for the potential opportunity that exists with another employer.
5) We are Information Security Professionals not Professional Resume Writers
First, we are generally guilty of producing generic resumes that are not geared to specific positions that we are applying for. (See Mike’s last post). Second, many people in the recruitment process only consider the resume, and never pick up the phone to discuss the candidate’s skill and the position requirements. Since they are currently inundated with so many resumes, it is near impossible for them to go into this level of depth. This fault is shared by both the candidates and the hiring entities.
6) Too Many Pre-Existing Notions About Candidates’ Individual Circumstances
We are always making judgment of others, especially in the hiring process. As security professionals we are skeptical by nature (it is why we are well suited for our profession) . Throughout our careers, we have been preconditioned to think certain things when we learn about a candidate’s employment history. Here are a few that should sound familiar – “Overqualified, ” Short Term Job Durations,” “Big Company Person,” “A Consultant not an Operator,” and “If they are so good, why are they out of work.” When we think these things, we immediately create doubt in our mind about the person’s ability to be a valued employee. Sometimes these prejudices prohibit hiring managers from considering suitable applicants.
7) Employers Have a Right To Be Picky
Why shouldn’t they be? Don’t they have this right? Team building is one of the characteristics used to judge their effecitveness as an Information Security leader. When you create an information security culture, it is critical that you utilize a high level of scrutiny is being used in all of your hiring decisions. If you relax these standards, for even one hire, it could have a negative impact on your existing team and the function as a whole.
Hiring managers also understand that theri is a consequence for being too selective. If the hiring process takes too long, it will sometimes be determined that the position is not necessary, and the job opening will be eliminated. In that case, there are no winners.
I do believe that all of the items that ISC2 cited in their survey are valid and accurate. I have a great respect for the organization and the professionals that hold their certifications. As the report referenced, there is still a demand for Information Security professionals, who have a high level of skill and contribute fair value for their compensation.
If you listen closely, you will hear what the industry is telling us.
Keep investing in your career, keep current with your skills, develop new ones, and demonstrate your value.
It should be comforting to know that 80% of the hiring managers are looking for someone just like you!
Social Engineering Sporting Events
May 13, 2009
Two Saturday’s ago I went to my first baseball game at the new Yankee Stadium. We had purchased the tickets on StubHub, in February, and paid about 50% more than face value. We took the subway and arrived at the stadium at 11:30 for the 1:00PM game. As we got off the train, I saw the old stadium, and immediately it brought back a number of fond memories. It was there I saw my first baseball game in 1977 and witnessed Game 7 when the Red Sox broke “The Curse”.
I have to give credit, the new stadium is beautiful. The design captures many of the features of the old stadium (it really looks the same), but has all the amenities of a modern ballpark. The “sight lines” were great, all of the refreshment stands had calorie content (make you think twice about ordering a chicken parm), and the bathrooms were clean.
As game time approached, the sun came out, 40,000 plus settled in their seats as rose for the National Anthem, one thing stood out. A majority of the best seats were empty. I am no genius but I believe that it has something to do with the ticket prices. That started me thinking – could you social engineer your way into sporting events and wind up with the best seats, without forking over the equivalent of a mortgage payment?
Hackers and pen testers have made their names by claiming the various trophies of the digital world, NASA, the White House, the NSA, but could the sports and entertainment venues be hacked?
Earlier this year I read an article by Rick Reilly, about a life-long Philadelphia Phillies fan, Lionel Rodia, who worked his way onto the field after the final out of the World Series, participates in the on field celebration and then works his way into the Phillies clubhouse where he joins the Phillies in the champagne spraying ritual that comes with sports championships.
I thought that the Reilly’s account of Lionel Rodia’s sport’s hack was a one shot deal. A perfect storm of activity. But could it be done consistently. What about a “Grand Slam” of Event Hacking?
To me the trophies would include the following:
Seats behind home plate at a Yankees vs. Red Sox playoff game (where you are in the TV shot)
50 yard line seats at the Super Bowl?
Floor Seats at the Staples Center next to Jack Nicholson at LA Lakers Playoff Game
Entry into the Oscars or the Emmys (including a walk on the Red Carpet and interview with Joan Rivers)
Front row tickets to a Springsteen Concert in the Meadowlands
I wonder if anyone from the Information Security/Hacker community had tried this, and what it would take to accomplish such a feat. I thought it would make a great realty show!
Or at least a great DefCon presentation!
Interview with Art of InfoSecurity – Part 2
May 12, 2009
Recently I finisehd an interview with Eric Heidt, author of The Art of Information Security Blog. The interview was posted in two separate segments. You can find the first segment posted on April 17.
The interview encompasses some of my thougthts around career management and career planning.
I welcome any questions or comments.
Decisions and Dilemmas
May 8, 2009
During the 1986 baseball season, the New York Mets were getting ready for the World Series. During the season, their four starting pitchers Dwight Gooden, Ron Darling, Sid Fernandez, and Bobby Ojeda were all pitching well. Since the World Series schedule (back then) only required three starting pitchers, a reporter stated to Mets manager Davey Johnson, “You have a dilemma on your hands, you have too many starting pitchers. ” Johnson responded, “You are incorrect. A dilemma is when you do not have enough starting pitchers. I have a decision to make.”
In speaking with a candidate the other day, he told me that he had a dilemma on his hands, he had two job offers that he was considering, both were compelling and he did not know which one to choose. At that time, I remembered the Johnson quotation, and explained to him that he was fortunate to have two opportunities and he had to make a decision regarding his immediate future.
Due to the shortage and need for Information Security professionals, we, as an industry, have been fortunate enough to be faced with more “decisions” than “dilemmas.” When you are currently employed or engaged, you always have a decision. You can evaluate if the new opportunity is better suited for your career than your current one. In many cases, even when in transition, Information Security professionals could choose between a number of career choices, and had to make “decisions” regarding a variety of options and environments.
Today, the market is a bit different. Sure, there is still a shortage of talent and we are in better shape then most other professions, but I am surprised to see how many quality Information Security professionals, have found themselves in “career dilemmas.” Many of these talented professionals, some whom I have known for over a decade, have traditionally been highly sought after and have impressive credentials. Unfortunately, many have not planned accordingly or developed “career contingency” plans.
The problem they are facing is that their qualifications and their salaries have put them in a place where their job searches are going to take a good bit of time. However their financial situations do not afford them the luxury for waiting out a lengthy job search process, and they need to find a steady paycheck. This is definitely a “dilemma.”
Here are three pieces of advice that I traditionally give to them:
1) Leverage your network to find contract work so that you can relieve yourself of immediate financial pressure.
2) Position your resume, so that you can demonstrate your most marketable skills that solve pressing information security issues.
3) If you are forced to find a full time job immediately, define the “lowest common denominator” for your career. By that I mean, to figure out the lowest level position and salary that you are willing to accept, as you try to find employment quickly.
There is no substitute for proper long term career planning, it is truly the only way to avoid a career “dilemma”. We never know what the future will bring.
Celebrating My RSA Bar-Mitvah
April 29, 2009
Thirteen years. A lot has happened to me in the past thirteen years. I changed careers (used to work for the LA Dodgers), started a business, went through the dot-com bubble (ear to ear smile), went through the dot-crash (big time frown), got married (twice), stayed married (once), and have a wonderful son (Brodie).
The one constant during that time for me, is the RSA Conference. I remember one of my first conferences, when it was located on Knob Hill, and it rained the entire time. I thought to myself, that whomever sponsored the umbrellas must have made a Faustian deal with the weatherman. I have been to San Jose a number of times, as well as both sides of the Moscone center. I have never been to one Cryptographers Ball. (But have heard good things).
I was there to remember the Year of PKI. When companies like Verisign, Entrust, Baltimore an the others were flying high. I remember when PKI was reinvented as Identity and Access Management – and companies like Netegrity, Oblix, and Waveset stole the show. I remember the growth of the pure play consultancies – the Guardents, the @Stakes, the Foundstones and such. The birth of managed servcies was a fun time as well – Counterpane, RipTech, Telenesus, Luhrq, etc The good old days, when Symantec was a pure security play. Even when RSA was still a company.
I remember when the CFP was easy to fill out. One page, fifteen minues. This year, the submission process, included posting a video on YouTube. I remember being surprised when my talks were accepted. This year, I was quite disappointed when theywere rejected. Perspective.
Some memorable experiences have happened to me during the show. In 2006, as I was walking onto the show floor, I received a call that my mother was rushed to the hospital and boarded a plane to Memphis, not sure if she was going to make it or not. Most scared I have ever been in my life. Thankfully, she was/is fine. I spent the next two weeks watching all the events of the Torino Winter Olympics. I have a new appreication for the biathalon!
The most important moment for happened at my first RSA, actually coming home from it. As luck would have it, I wound up sitting from my next to Nicole Schmidt, an industry research analsyst at CIBC Openheimer. From those six hours on the plane, we built a long lasting friendship. In 2004, at a lunch meeting, Nicole made the suggestion that I meet her best friend from childhood. Michele and I were married in September of 2007.
People like to downplay the relevance of RSA. They growing sentiment is that it is a marketing party and not a platform for the latest technical advances in our profession. I look at the event for what it is and what it has become. It is THE mainstream Information Security event. It is a place where people gather and share their experiences. It is where business development deals are forged, faces are put to names, a coming out party for some, and a swan song for others.
Since returning I have heard it all both negative and positive. “I can not belive _____ did not show up”, “The speeches were lousy”, and “It cost too much”. I also heard, “I got to spend time with my friends”, “It was great to catch up with people I have lost touch with”, and ”The “party was fantastic but he music was a bit too loud”
Sounds a lot like a BarMitzvah.
L’chaim RSA!!