tag:blogger.com,1999:blog-1489897032337705045.post5464626650133368421..comments2023-08-30T08:07:27.900-05:00Comments on Securology: So you think you want a job in Computer SecurityTim MalcomVetterhttp://www.blogger.com/profile/13417236190528979780noreply@blogger.comBlogger9125tag:blogger.com,1999:blog-1489897032337705045.post-67551089807077849072009-03-01T12:25:00.000-06:002009-03-01T12:25:00.000-06:00Take the post for what it is: The far end of the s...Take the post for what it is: The far end of the spectrum of opinions on Security jobs. I enjoyed the article, and I believe it has great merit and deserves to be read, whether or not it is 100% true for everyone. It's targeted towards aspiring security professionals, and if you fall into that category, you should be interested in hearing BOTH sides of the story, not just the fluff fed to you by schools and certification vendors. It's his experiences, we should all be interested in listening to them. It's that mark of an educated mind to entertain a thought without accepting it.Paul Hitehttps://www.blogger.com/profile/14778721592923927774noreply@blogger.comtag:blogger.com,1999:blog-1489897032337705045.post-78595518178698723652009-02-27T14:16:00.000-06:002009-02-27T14:16:00.000-06:00What this really boils down to is the organization...What this really boils down to is the organization that an in"duh"vidual works for in any security related role. <BR/><BR/><BR/>It is the company in how effectively they have laid down their security strategy, requirements, policies, procedures, directive, guidelines, planning, etc..that will influence your experience as a security employee. All of these will affect whether your role is taken seriously, whether or not you will get lynched at the end of the day, if you get sold out or not, frowned upon or appreciated, and ultimately whether you hit the peter principle.<BR/><BR/>For all those security folks out there, I am sure many of you have landed a role in an organization where "functionality" "ease of use" and "product delivery" occupy a substantially higher priority than security ever will. In places like this you will constantly be thrown into oncoming traffic, you will be ignored, hated, shunned, frowned upon and disrespected. Why? Because the company has no desire whatsoever to implement security into their application development process. If you find yourself in a role like this without any executive level sponsorship, GTFO and don't go back.<BR/><BR/>So my advice, don't bitch about it and don't try and talk other people out of it, educate them so they know what to look for, how to identify warning signs, what sort of questions to ask, and above all, how to make sure they do not end up like you!Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-1489897032337705045.post-12350887944359307832009-02-25T09:16:00.000-06:002009-02-25T09:16:00.000-06:00Looks like someone has a bad case of "sour grapes"...Looks like someone has a bad case of "sour grapes". Awwwwwww.......Unknownhttps://www.blogger.com/profile/06600129114831139898noreply@blogger.comtag:blogger.com,1999:blog-1489897032337705045.post-68221390364262371052009-02-22T16:33:00.000-06:002009-02-22T16:33:00.000-06:00Aaron,Woo-hoo! I succeeded! (That is, of course,...Aaron,<BR/><BR/>Woo-hoo! I succeeded! (That is, of course, if you really do change your mind. :)<BR/><BR/>On a (slightly) serious note, like some of the other commenters said, it is possible to enjoy this work, provided you understand all of these negative aspects first and are still okay with it. Or, provided that you get your satisfaction out of something outside of work (like my references to backyard barbecues and retirement). If you can make it "just a job" then it could be a rewarding one. It tends to pay better than average IT pay.Tim MalcomVetterhttps://www.blogger.com/profile/13417236190528979780noreply@blogger.comtag:blogger.com,1999:blog-1489897032337705045.post-72298581947254847242009-02-22T13:35:00.000-06:002009-02-22T13:35:00.000-06:00Haha, good read. I am an aspiring student hoping ...Haha, good read. I am an aspiring student hoping to get into this line of work. So thanks for blowing my aspirations!<BR/><BR/>Na just kidding, but I will definitely show this to our schools system admin. Hopefully he will get as much of a kick out of it as I did.adfadfbsdghttps://www.blogger.com/profile/05915861359282777278noreply@blogger.comtag:blogger.com,1999:blog-1489897032337705045.post-68787002408718347752009-01-31T11:04:00.000-06:002009-01-31T11:04:00.000-06:00@anonymous,And I think my last two paragraphs sum ...@anonymous,<BR/><BR/>And I think my last two paragraphs sum up nicely-- even validating your remarks.<BR/><BR/>1) If you can work on an unsolvable problem without being depressed-- go for it.<BR/><BR/>2) If you cannot (because of your idealism), go seek a job that may be more rewarding (like teaching high school math).<BR/><BR/>It's interesting that you saw only the negative aspects in my original post. I had to re-read what I wrote (forgot it already) to confirm I really did look at both sides.Tim MalcomVetterhttps://www.blogger.com/profile/13417236190528979780noreply@blogger.comtag:blogger.com,1999:blog-1489897032337705045.post-85039469460085484692009-01-31T10:41:00.000-06:002009-01-31T10:41:00.000-06:00Dear anonymous (Jan 30),I won't comment on everyth...Dear anonymous (Jan 30),<BR/><BR/>I won't comment on everything you said (I welcome and appreciate your differing perspective, though), but I will say this: There will be people who will read my original post and say "Oh, no that's not the job for me." And that's good. Those people don't need to work like that. There will be others, like yourself, who will read this and say "Yeah, so what? I deal with it and am fine." That validates that you're willing to put up with it all. That's good, too.<BR/><BR/>For the record (not that you're surprised, I'm sure), I fall in and out of several of those categories. I'm probably jaded-- I'll give you that, but the pay is fine (more than I ever expected). It's not about money for me, though. Yes, I am an idealist (the world needs more of those, in my opinion), which leaves me to cling to the options in #9. If I could sell out my ideals, I think I could be happy with the paycheck from #7. The truth is, I've done at least a little of all of these and am making fun of myself as much as the rest of you who have those jobs.<BR/><BR/>If you read the original post and take it as a challenge to improve the state of the state (or prove that the state is better than I claim because you see things the rest of us cannot), then I'll label this an accomplishment.<BR/><BR/>You said: <BR/>"So.....what sucks about repeating the slide deck? Oh, I forgot, your incessant idealism keeps getting in the way. Well, most of us will happily deal with a little repetitive action to make double the money."<BR/><BR/>You're absolutely right; I won't do it for the money. (Now, if somebody was learning as a result, that's a different story-- that's where us idealists get value-- actual overall improvement through knowledge.)<BR/><BR/>I don't know if we've met, but I certainly have no hard feelings from your comments. Thanks for your time.Tim MalcomVetterhttps://www.blogger.com/profile/13417236190528979780noreply@blogger.comtag:blogger.com,1999:blog-1489897032337705045.post-70274300899845085562009-01-30T21:17:00.000-06:002009-01-30T21:17:00.000-06:00Wow. This is the most depressing thing I've read i...Wow. This is the most depressing thing I've read in a long time. Then I realized - maybe you're jaded? Or maybe not making the big $$ you'd hoped for? I'm not sure if I know you, I know a lot of damn people in this industry, but if I don't - please keep your incredibly depressing, wannabe-proselytizing opinions to yourself. Let me throw some rebuttals out, just for giggles.<BR/><BR/>1. Right - perfect security is not possible. Neither is "perfect profits", "perfect project management" or "perfect anything else" for that matter. Should that dissuade you from a career path? Hell no - don't feign such idealism, it's silly. Hackers like problems to solve, and good security people are fond of solving security issues. I am not yearning for perfect security, and I don't know anyone else that is either.<BR/><BR/>2. I'll give you this, to some extent. Trying to get other people to "do right" IS frustrating. But when that one person DOES the right thing, it's a fantastic moment of elation - "someone got it!". If you don't feel this when it happens, you are way too depressed and cynical about the whole thing, and you are not likely to make friends at parties.<BR/><BR/>3. You've got some points here. I agree - most organizations can't pay full-time IR people. But some of us actually LIKE doing IR work. I've done some that sucks, sure, we all have, but some of it is incredibly stimulating and rewarding. You are just over-generalizing WAY too much here.<BR/><BR/>4. Security Ops jobs are often people's first step into the industry. And they're also the ones where a) real work gets done, unlike many of the bullshit "architects" I've met, and b) can be incredibly rewarding for some people who LIKE working with gear. I have done a ton of this work, I am further along in my career, but I will NEVER say I'm too good for it. I'll crawl around in a data center and config a firewall any day. And I bet there's a lot more like me than you realize - being a geek is part of the fun of this profession, lose that sentiment and you're probably lost anyway.<BR/><BR/>5. Damn dude, where you have you worked? It's about doing the best job we can. I've worked in some horrible places where the environment sounded a little like this, my advice to people who relate to this point even a little bit - get the F*** out! Don't hold on to your job just because the economy sucks, unless you live in Bumblef*** where there ARE no jobs (and then you should move anyway), but come on! This is a little too "Office Space" for me, you can pretty much make your own attitude.<BR/><BR/>6. Yes, some security vendors are totally pushing FUD. But without them - what do we have? Open source? Bah. There's some good stuff in that, sure, but there's nothing wrong with people selling products, it's that whole economy thing. And there is NOTHING wrong with making money, so don't hate the sales people. Just doing their job - if you don't like their approach, fine. But what about the product? Does it solve a problem? Do you need it? Better questions. And I was a sales engineer, and they have something incredible going for them, in most cases - people skills! That's right, they can TALK to PEOPLE, and actually look you in the eye sometimes! Wow! And they probably make a lot more money than you do, too. Most SEs I know are very technical and simply do most of their tinkering in their spare time. Which they have some of, since their jobs are usually pretty kick-ass and they have more $$. So.....what sucks about repeating the slide deck? Oh, I forgot, your incessant idealism keeps getting in the way. Well, most of us will happily deal with a little repetitive action to make double the money. <BR/><BR/>7. Some pentesters suck. Others do not. Sometimes they provide value. Sometimes they do not. They also make a lot of $$ if they're good. So...what's the problem here? <BR/><BR/>8. Some exploit writers do perpetuate the problem. Some don't though - HD Moore has given more to the community in his time than you or most ever will. But what is really the argument here? People will always find flaws in things, these folks are just doing it more often. And MOST of the time, things get fixed as a result. Given that most of the real security issues come down to stupid simple issues like patching and access controls, we actually could prevent most of those exploits from being a reality, but that's a different issue.<BR/><BR/>9. I teach people at a few conferences a year. I do it because I enjoy it. Now, I agree with you, many times full-time teachers don't know what the f*** they are talking about since they only teach, but not always. I can back my shit up, EVERY TIME. And the folks I tend to teach with can too - we all consult and do a number of different things in the security community, so we actually have a clue. Are we paranoid? Sure, to an extent - any good security person is. But most of us have learned to chill a bit, too - we have families and lives away from the Internet. And we all make enough money to be pretty damn optimistic. <BR/><BR/>10-11: Yes, most security media people need to STFU. Especially those who think blogging is making them special. For God's sake, say something insightful instead of just whining about stuff. Or pointing out the obvious. Or regurgitating stories. Ugh. You're not getting paid for it, so why do you have so much damn time to do this? Blog readers != friends. <BR/><BR/>As for changing the world, the everyday security people of the world actually ARE. Sure, they're not getting public recognition for it, but who cares? Every time someone prevents some asshole from stealing my credit card number or health records, they're my hero.<BR/><BR/>So, anyone reading this post - it's bullshit! Security is a GREAT career for curious, technical people who need constant and ever-changing intellectual stimulation. Is it thankless sometimes? Sure. Do you put up with BS and vendors and idiot bloggers who spew drivel and actually say and solve nothing? Yep! But if you can get past all that, welcome to the club. Most of us aren't this depressing.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-1489897032337705045.post-22567040677693805472009-01-12T10:58:00.000-06:002009-01-12T10:58:00.000-06:00Thanks for making me depressed.... Sooooo true th...Thanks for making me depressed.... Sooooo true though.Anonymousnoreply@blogger.com