And NO, I am not talking about the great folks at Offensive Security. I KNOW they exist. 🙂
I had some great commentary and discussion on my last post, “Doom, Gloom, and Infosec“. Jericho rightly pointed out the ever-popular Charlatans page at Attrition. This could definitely lead some to feel a little despondent or at least irritated in this field. Asshats have a way of doing this. Wendy at 451 had some interesting thoughts, too, as did a few other sites and folks. My friends at the Infosec Daily Podcast, Rick and crew, had a discussion about the post that really got me thinking, though.
In my post, I list some general ideas of reasons why infosec might suck. These were totally off the top of my head, based on a lot of conversations I’ve had in the last few years with people in all walks of the industry (consultants, company and end user practitioners, CISOs, trainers, you name it). The ISD crew talked about them, and made an interesting statement – “as offensive folks, many of these don’t apply to me|us”. The premise being that folks playing DEFENSE (responders, intrusion analysts, firewall folks, etc) have a worse time of it. This is likely true. But the point that stuck with me was the concept of “offensive infosec” roles. The assumption, of course, is that this means vulnerability assessment teams, red teams, pen testers, and so on. And I get what they are saying. However, I want to refute the concept of “offensive” vs. “defensive” security staff. I don’t think that’s realistic. Reason? Offense really exists for one reason only – to inform defense. In my mind, this really means we’re ALL defense. We just accomplish our defensive strategy and tactics in different ways.
I am a pen tester and someone who enjoys “breaking” as well as “fixing”. Would “breaking” fit into a security philosophy if not for the perceived benefits to “fixing”, though? I’m not trying to blow this all out of context, I know exactly what the ISD dudes meant, but it just got me thinking – when we classify ourselves that way, we may in fact be doing ourselves a disservice as a whole. Interested in your thoughts.
I’m perennially happy. I am almost always in a pretty good mood, despite my inherent sarcasm and less-than-politically-correct approach. But I get the impression that many in infosec are not. Everyone is different, and I don’t want to stereotype, but I do run into a lot of gloomy folks. Why is the infosec profession so unhappy in general? I closed out the IANS forum in Chicago today (which ROCKED, by the way, just too much awesomeness in CHI to contain), and Ron Ritchie made some comments that I thought were pretty spot-on in his closing thoughts. He mentioned a few good reasons to be in infosec, and I’ll list some below, including his:
Reasons infosec rocks:
- Money is good! (Ron)
- We have tons of interesting things to work on! (Ron)
- We bring real value to our organizations! (Ron)
- We can actually detect and prevent crime in some cases!
- We have one hell of a solid career path, in general!
I’m sure this all sounds good. High-fives all around! Hmmm. Wait. We’ve still got that “Sad Panda” problem. So there are surely some negative aspects to infosec as well. What are they? Based on my experience as a practitioner, consultant, trainer, and general curmudgeon (albeit a pretty jolly one), a few things I can think of:
Reasons infosec sucks:
- People ignore us, hate us, or perceive us as roadblocks. Or all three.
- Infosec never seems to be “done”, ever. Always an ongoing endeavor.
- The landscape in infosec changes so rapidly it’s difficult to keep up.
- Overall, infosec is “hard”.
- Related to the first point in this list, we may feel “at odds” with business units and IT organizations.
- There’s a general sense of “futility” – we can’t “win”.
- Our career paths are wack – do we really have any respect?
Surely I’m missing things here, likely both good and bad. However, being the “glass half full” kind of cat that I am, I am inclined to think the list of “things that rock” far outweighs the list of things that suck. Seriously! What are we so worked up about? Lots of jobs are much drearier than most of ours. And people make the best of them, get the paycheck, and go have a life outside of work. I won’t even try to speak for everyone here, that’s crazy, but I see a lot of people internalizing their positions and the issues they see in their jobs, when they should really be trying hard to leave that stuff at the office. Infosec is not a calling. There, I said it. It’s not. It’s not a crusade. It’s not the end of the world if a security control fails, or an employee gets phished, or you lose some data. Sure, it SUCKS and all, but deal with the stress of the moment and move on! Life is short. Enjoy the good aspects, deal with the bad, and most of all, get some hobbies that do not involve a computer, security, or anything else related to infosec. I love this field with all my heart, but I recognize that this is not sustainable. So…why are folks so burnt out? What am I missing here?