Thoughts on Security Careers

Several recent blog posts have discussed security careers. I'll start with Anton Chuvakin's post A Myth of an Expert Generalist:

Lately I’ve run into too many people who [claim to] “know security” or are [claim to be] “security experts.” Now, as some of you recall, I used to do theoretical particle physics before I came to information security. In my physics days, I’d be pretty shocked if I were to meet a colleague in the hallways of the C.N. Yang Institute for Theoretical Physics who would self-identify as “a scientist” or, for that matter, even as “a physicist.” It is overwhelmingly more likely that he would say “quantum chromodynamics” or “lepton number violation in electroweak gauge theories” or “self-ionization of the vacuum” or some such fun thing...

I think this has a lot to do with the fact that the area of security is too new and too fuzzy. However, my point here is that a little common sense goes a long way even at this stage of our industry development. In light of this, next time you meet “a security expert,” ask him what is his area of expertise. If the answer is “security”, run!

Finally, career advice for those new to information security: don’t be a generalist. If you have to be a security generalist, be a “generalist specialist;” namely, know a bit about everything PLUS know a lot about something OR know a lot about “several somethings.” If you ONLY know “a bit about everything,” you’d probably die hungry...

Those are interesting insights. I agree with Anton's characterization of the field as being "too new." Theoretical physics is well over a hundred years old, while digital security is about forty years old.

Jeff Snyder's Security Recruiter Blog posted two good stories recently. The first is Hiring: Why Some Security Jobs Go Unfilled:

I started thinking about why some jobs are open for so long or go unfilled entirely...

A company recently sent a Security Analyst / Security Engineer job description to me for my review. They’ve had the job posted to major job boards for months but can’t seem to find the right person. As I studied the description, I quickly recognized that they were looking for at least two and possibly three different skill sets that typically don’t fit together in one person’s resume.

I pondered why they would create such a difficult expectation that essentially set them up to fail in their quest to find the right security job candidate... [C]ompanies across the nation is a significant squeezing of the belt. CISOs are pressured to deliver more results with less resources. Security professionals have to wear more hats than ever before and they have to be great at nearly everything they do in order to capture the most appealing jobs...

Recruiters don’t create candidates, we find those who already exist. If the person a company wants to hire doesn’t exist or doesn’t exist very often, I may be staring at a search that is set up to fail.

I agree with that statement too, but this idea of wearing so many "hats" is a recipe for failure. Most security people can't keep up with one aspect of the industry, let alone multiple aspects. I wrote about this issue several years ago in More Unrealistic Expectations from CIOs when I raged against the idea of a "multitalented specialist."

My third post again comes from Jeff Snyder, in Conversation: With a CIO regarding his Security Staffing:

The CISO was explaining his company’s need to cut back on staffing levels... [S]omeone came up with the idea that this CIO's company could live with one less information security professional.

As of now, they have one security professional who does security analysis and project management work but not a lot of what he does is considered deeply hands-on technical work.

The other security professional on this CIO's staff is a hands-on technical professional who has very deep technical skills but he is not strong with regulatory compliance, risk management work or work that requires strong interpersonal skills...

My recruiting partner and the CIO came to the conclusion that both security professionals might have to go in order to hire someone who had a broader skill set that included both the business / risk / interpersonal skills and the deeply technical components all wrapped up in one person’s security / technology risk management skill set...

Security professionals in both the present and the future need to bring broad skill sets to prospective employers in order to satisfy the growing demands found in hiring manager’s job descriptions.

Wow. That is a recipe for disaster. Lay off two people who already understand the business in order to replace them with one newbie who is expected to do both jobs? Isn't that the unrealistic expectations problem cited in Jeff's first post?

Comments

James said…
Great post. I am the security professional with a strong technical background, I crossed over to the dark side from Network Engineering. I realize my deficiencies in policy, compliance, etc and am working hard to fill those gaps. I feel it’s important to have a fundamental grasp no both ends, but my specialty will always be more technical.
BTW, I’ve always been a FreeBSD hobbyist (started with 4.8) and have picked up quite a bit by going through the TAO book, running through the tools, and using them to monitor, capture and analyze traffic and packets. Now if I can only figure out how to write a good security policy
9:40 AM
Unknown said…
From the other side, I was a professional writer and learned the hands on side of systems and security on the fly. I can write policy and training in my sleep. The technical experience informs how I write policy, but I am not the person you want at the console when an attack hits.

I have repeatedly watched both hands-on technical people and employees with soft skills set up for failure by management that would not understand that one size does not fit all.

Thanks for this post. I hope it gets circulated to managers who think all tech and all security staff are interchangeable.
12:30 PM
CyberG said…
I don't think any of these problems are truly unique to IT Security. To me it all goes back to two things. 1) The hiring manager and/or HR don't fully understand the job they are trying to fill or 2) The candidate misrepresents their skill sets. I think in today's security landscape there are places for both the generalist and the specialist, it really just depends on how narrow/broad the job scope is.
12:47 PM
Anton Chuvakin said…
Actually, somebody was telling me that there is a need for a "big picture" generalist in security.

How can such a role be defined?

Is this a "multitalented specialist" aka "deep diving purple elephant with wings?"
2:15 PM
Jeff Snyder said…
Thank you for your insights. Most of the blogs I write are written from the perspective of reporting on what I run across rather than shring my opinion. Some of the clients I serve focus on a few core skills and otherwise set out to hire the person who best fits their culture. These clients tend to hire based on a few core skills but lean more heavily towards hiring overall competency and the potential one has to learn new skills in the future. Other companies I encounter focus more on finding people whose resume contain the entire laundry list of skills that their job description contains. My observation is that they hire skills more than they hire people. Which hire do you think last longer?
8:28 PM
Anonymous said…
Unluckily, under the current economic worldwide crisis, circumstances force businesses to cut on staffs. That's the reality that many IT employees (and also CIOs) must face today.

My question would be more: if you were the CIO, and you had those 2 security experts (the more technical one and the other more expert in risk management and interpersonal skills), who would you lay off first?

I am asking that because I sense my company is going to that direction and I could be in the upcoming layoffs for this very same reasoning.

As Richard said, firing both to hire a new expert to fil both is a disaster move. So, what would you do if you had to fire only one?
4:55 AM
H. Carvey said…
Be very careful when reading an article or listening to a podcast where someone is described as a "security expert" or an expert at anything for that matter. I've been interviewed, and I know others who've been interviewed, who never make that claim...it's the marketing staff or the interviewer who makes that claim.
7:16 AM
os said…
I agree about the 'be sceptical of experts' part, but disagree about the usefulness of generalists. A general practitioner can do a perfectly respectable job even if he/she isn't a brain surgeon. The key is to know the limits of ones expertise, and call in specialists when it's called for.

For most enterprises, I'd say thay the security GP is more needed than the brain surgeon. As Robert A. Heinlein observed -- specialization is for insects.
3:39 PM
Dremspider said…
I like this post a lot. This is one problem I have been having in information security. I work in a somewhat entry level position for IA. I also am about half way through grad school for infosec. My degree is giving me a broad focus of Information Security, which I think will be beneficial. On top of this though, my book shelf is crazy with what I want to learn! I want to know it all mainly b/c I haven't decided what field in particular I want to be in. I am positive I want it to be technical, but I am interested in Incident Response (IDSes), Malware Research, Secrity Engineering, programming, system administration (and many more!). I am really all over. I do think in a bit I am going to have to decide what I want to focus on, but right now... I can't decide, there are so many interesting things to study!
12:40 PM
Post a Comment

Popular posts from this blog

Zeek in Action Videos

Image
This is a quick note to point blog readers to my Zeek in Action YouTube video series for the Zeek network security monitoring project .  Each video addresses a topic that I think might be of interest to people trying to understand their network using Zeek and adjacent tools and approaches, like Suricata, Wireshark, and so on.  I am especially pleased with Video 6 on monitoring wireless networks . It took me several weeks to research material for this video. I had to buy new hardware and experiment with a Linux distro that I had not used before -- Parrot .  Please like and subscribe, and let me know if there is a topic you think might make a good video.
Read more

MITRE ATT&CK Tactics Are Not Tactics

Image
Just what are "tactics"? Introduction MITRE ATT&CK  is a great resource, but something about it has bothered me since I first heard about it several years ago. It's a minor point, but I wanted to document it in case it confuses anyone else. The MITRE ATT&CK Design and Philosophy document from March 2020 says the following: At a high-level, ATT&CK is a behavioral model that consists of the following core components: • Tactics, denoting short-term, tactical adversary goals during an attack; • Techniques, describing the means by which adversaries achieve tactical goals; • Sub-techniques, describing more specific means by which adversaries achieve tactical goals at a lower level than techniques; and • Documented adversary usage of techniques, their procedures, and other metadata. My concern is with MITRE's definition of "tactics" as "short-term, tactical adversary goals during an attack," which is oddly recursive. The key word in the tacti
Read more

New Book! The Best of TaoSecurity Blog, Volume 4

Image
  I've completed the TaoSecurity Blog book series . The new book is  The Best of TaoSecurity Blog, Volume 4: Beyond the Blog with Articles, Testimony, and Scholarship .  It's available now for Kindle , and I'm working on the print edition.  I'm running a 50% off promo on Volumes 1-3 on Kindle through midnight 20 April. Take advantage before the prices go back up. I described the new title thus: Go beyond TaoSecurity Blog with this new volume from author Richard Bejtlich. In the first three volumes of the series, Mr. Bejtlich selected and republished the very best entries from 18 years of writing and over 18 million blog views, along with commentaries and additional material.  In this title, Mr. Bejtlich collects material that has not been published elsewhere, including articles that are no longer available or are stored in assorted digital or physical archives. Volume 4 offers early white papers that Mr. Bejtlich wrote as a network defender, either for technical or pol
Read more