Happy Holidays to everyone! I plan to start writing more in 2009 (sounds suspiciously like a resolution, but I have been working up to this for a year, I think). For my end-of-2008 post, I offer a few thoughts for all of my fellow security geeks out there. These are just considerations, not absolutes, but things that have worked for me in my career so far. Will they work for you? Who knows – we’re all different. But while we’re making resolutions, maybe these thoughts of mine will influence you in some way. Enjoy!
- Get out of product land. I have made this mistake before early on, and it’s really easy for us to make in the security field. “I’m an expert with Sourcefire 3D” or “I’ve been working with Symantec XYZ for 3 years” are the kinds of statements that will rot your brain after a while. Do you understand the real fundamentals of intrusion analysis? That’s a better question. The point of this is to learn security fundamentals and really grasp concepts more than having in-depth knowledge of one product or another. Granted, you need some specific product knowledge for jobs, but don’t let this dominate your concept of how good you are.
- Nothing in the CISSP will actually help you do your job. I’m sorry to have to call it for what it is – academic theory, almost entirely. Is it good to know? Sure. Does it help you market yourself to those who have no concept of what real security is? Yep. And for those of you who know me, I’m a big believer in marketing yourself. However, I have done just about every type of security work there is, and I have never had to call on my CISSP training. Ever. If anyone ever references the Bell-LaPadula model in a real-world scenario, smack them. Hard.
- Get some Linux skills. If you have them, keep working on them. I find that working in Linux and Unix operating environments requires a different mindset than M$ environments, and it’s the right mindset to be in for security folks. You can tinker and tweak and script and try new things, all with the basic fundamental knowledge of the OS and a little script-fu. M$ just doesn’t offer that, despite the advent of PowerShell (which is great stuff, don’t get me wrong). You really need both, but there are those who just constantly make excuses for why they don’t have Linux skills, and that’s not going to fly forever.
- Read more. If you’re not devoted to being a lifelong learner in this field, get out. Seriously. It moves too fast, and there’s just too much to learn to avoid constantly sucking up knowledge. For bibliophiles like me, this field is perfect – there are always things to read and learn about that relate to security. Not all security books, either! Read about advances in networking, programming, etc. The more you know, the better you’ll be.
- For those of you hiding behind “policy” – get some damn technical skills, would you? Even if you’re a manager, and I’ve been one plenty of times (including now), you need some Kung Fu to be respected by a technical team of people. If you pride yourself on memorizing Charles Cresson Wood’s “Information Security Policies Made Easy”, you should have been an accountant. Do you need to be able to dissect a packet header and write hardcore scripts? No. But don’t be nothing more than a paper pusher. I predict the demise of the non-technical security professional within 2-3 years, if not sooner. And good riddance.
- Get comfortable with writing and speaking in front of people. Although these skills may not apply to you much right now, they will – and the better you are at them, the further you’ll go in your career. In fact, most hiring and promotion decisions are made because of personalities and people skills, not technical skills. Do you look people in the eye when they talk to you? Can you articulate a security project plan in business terms and describe the benefits to business unit managers so they know why they’re spending money on a) the project and b) your salary?
- Turn off your computer once in a while. Really. No, I mean it. Go outside. Take a run/walk/hike. Spend time with your kids and family. When you come back to your computer, all the completely wack security issues you’ve come to wrap around yourself like Linus’ blanket will still be there. Promise. But you’ll feel refreshed, your brain will hurt less, and your body will thank you for it.
So there’s my abbreviated list of thoughts for my fellow security geeks out there. Again, nothing is an absolute on this list, but they’re based on my observations and personal actions of the last 15 years, and some of them may resonate with you. Regardless, I’m 100% stoked for 2009. DESPITE my 401k. 🙂