The life of the security professional...grand it ain't!

When I first started my career as a security professional, all I could think about was the movie Wargames.  I had grand ideas that making a network secure meant designing this really cool security infrastructure with firewalls, intrusion detection / prevention, anti-virus gateways and servers, honeypots and honeynets, vulnerability scanners, etc., etc., etc...  I just knew that I was going to spend my days tracking hackers that were trying to break into my network.  I was ready for the cool life of hacking computer systems for legitimate purposes and learning all the sweet tricks of the trade.

Then, reality smacked me right in the side of the head.  I soon realized that a more typical day at the office was me trying to either figure out why that firewall I installed wasn't passing traffic and simultaneously trying to figure out where the CEO's email had dissappeared to while being hassled by some unit manager to check if Joe Pervert was looking at porn on the night shift.  When I wasn't performing those flamboyant duties, I was writing a policy about what the users should not be doing on the Internet and having it shot down by management because they didn't want to deal with users actually having to do their job (yes, this is a dig on everyone who thinks I am a scrooge).  I soon realized that the security profession was actually real work.  What's up with that??

Of course, there are some who live the dream.  These guys and gals are the bona fide experts who have taken the path of the white / grey hats that do get to hack and play all day, kinda like video game testers (now that would be a sweet job).  You may have heard of these fabled security "red teams" that security consultants bring in to test the weaknesses of a system.  They come in (typically unbeknownst to the little people) and try to sneak into a building and steal passwords using social engineering tactics and the like.  But getting a job like that is not likely unless you are very good and very specialized.  That type of job is very much in the minority in security.

There are also some other decently entertaining security jobs out there.  Getting a job as a manufacturer or partner sales security engineer (which is what I do) does not have as much pressure in many ways and gives you the ability to design security without the constant job of support hanging over your head.  And the security analyst / consultant job (also part of what I do) is pretty sweet at times.  The down side to those is that you are always tempted to sell your soul for the almighty dollar, so you have to be careful.

Not to be the downer here, but if you are an aspiring security professional, read this post closely.  Grass on this side of the IT fence is not always  bright green.  In fact, it is about as brown as it can get most of the time.  I am not saying it does not have it's fun moments.  But for the most part, it is just real hard, down-and-dirty work.  I recently gave a talk to a group of sales people at a security vendor to help them get an idea of what the typical security manager goes through every day (go take a look here).  It ain't pretty.

So, why am I writing this depressing mess of a post?  Because I want to be a filter of sorts.  I want to have some kind of influence of you, Mr. or Ms. Wannabe security professional.  If you decide to come over to the dark side, I want you to know what it is really like.  I don't want you to come over with stars in your eyes, only to figure out that Hollywood got it wrong and you have wasted a bunch of your time and my time.  The security profession does not need people who think it is all glitz and glamour.  The security profession does not need whiz kids who can't deal with people.  The security profession does not need cry babies who can't handle a real crisis and can't hang when the going gets tough.

The security profession does need passionate professionals who want to do the job well, no matter the grind.  The security profession does need fresh blood who want to do the job because the job needs doing, no matter how many policies and procedures need to be written.  The security profession does need individuals who will deal with that C-level manager who can't figure out that security is job one.

Please, please, please notice that I did not say that the security profession does not need young people.  I am not one of those old guys who thinks only the old ways are best and that young people are filled with too many newfangled ideas.  In fact, if you will notice, I said just the opposite.  I said the security profession needs fresh blood.  It needs to be shaken to its core sometimes, and I know there are those of you out there just coming out of high school and college who have some great ideas and are zealous about security.  You are the type this industry needs.  Please come and join us.  Please shake us up and make us think.  We can get stuck in our ways, and that is not good for the industry either.

But I ask one thing before you get on board: don't be afraid to work hard.  Because that is often the most admirable and most needed trait of a security professional.