Why do so many people seem to want to go into security work?

fmitawaps

I don't understand why so many people seem to want to be in security work. It may pay well, but it seems like they are letting themselves in for some huge headaches down the road. When the company they work for gets hit with some kind of attack, they are going to end up in a board room with all the senior management who know nothing about IT, getting asked questions like "What are we paying you for if things like this can still happen?".

anhtran35

If you are in the IT field you will experience this regardless of the field. Windows Administrators: "why is my outlook not working?"; Network Administrators: "Why was their a 4 hour Internet outage?"; Help Desk: "Why did you stay on that call for 4 minutes when we had 10 more calls on queue?". The question you just ask can be broken down and answered. If Senior Management don't understand then FOCK EM. U can't fear being challenged in any work field( IT; Medical; Construction; etc ). It's going to happen regardless.

NetworkNewb

fmitawaps wrote: »

I don't understand why so many people seem to want to be in security work. It may pay well, but it seems like they are letting themselves in for some huge headaches down the road. When the company they work for gets hit with some kind of attack, they are going to end up in a board room with all the senior management who know nothing about IT, getting asked questions like "What are we paying you for if things like this can still happen?".

Because if they are good at their job scenarios like this won't happen often?

EnderWiggin

"You pay me to do the best I can with the limited resources you provide me. Stop denying my requests for more resources, and we won't be attacked."

Iristheangel

Reality is that there is no such thing as 100% secure. Even management understands that or has to some degree comprehend it. Most security teams aren't given unlimited funding and even if they were, there's no security product that's 100% effective at preventing all forms of attack or just pure human stupidity since humans are the weakest link.

Just like another poster said: Saying you're in for a letdown because one day you'll get popped and have to explain to management is like saying you shouldn't be a network engineer/server engineer/virtualization engineer/cloud engineer/<insert IT title> because one day you'll get your bell rung on an outage or something that broke and have to explain it to management

The security field isn't going away, getting cheaper or getting easier. The threats are getting more complex, regulations getting more strict, and consequences getting more severe if breached. You might not understand it but we're nowhere near a day where someone is just going to be able to throw their hands up and fire their entire security team because security isn't needed anymore

P.s. Didn't we have another thread like this from you in regards to security and you not understanding why companies would hire a dedicated security person much less a security team? http://www.techexams.net/forums/general-certification/117164-so-many-people-seem-want-do-security-certs.html

cyberguypr

Iris saved me from going on rant mode. OP, if you don't understand security let's have a conversation to illustrate the value and importance of it. Saying "I don't get it and it's pointless" over and over again doesn't achieve anything. Security is here to stay as long as the bad guys keep progressing. They are light years ahead of us defenders so this game will not stop any time soon.

A board/upper management that asks that question has no idea how security works. This means whoever is in charge of security did a bad job communicating some basic concepts. Our work is not to make systems impenetrable, as that is IMPOSSIBLE. Our job is to minimize risk, protect the enterprise given the resources we have, and have tried and true plans and procedures to respond in a timely manner when things go south. When everything is said and done we do need to go in front of higher ups to show how the laziness/lack of knowledge/negligence of some non-security person jeopardized everything. What do you propose instead of all of this? Doing nothing?

Codyy

It's definitely a headache. Maybe it's just my environment but the network/sysadmins/help desk/users just consider us a nuisance, instead of seeing us as another set of eyes helping secure the systems that THEY are responsible for.

Management expects the world, every system 100% secure and the network impenetrable(yeah, right), yet refuse to acknowledge that we need equipment that hasn't been end of life for 5+ years, or allow us to quarantine systems that have unremediated vulnerabilites because it would inconvenience the user.

I could rant for days but to summarize.. It's a great field for job security, though the majority of management do not truly understand this domain, so they're not comfortable letting the security staff do what's necessary to help secure the network ...so prepare for constant headaches and disappointment if you're the type that likes to make a difference.

NOC-Ninja

There are Sr Management that does not know anything about IT. Somehow they got there because of the buddy system. There are some that used to be engineers. The hybrid manager/engineer are the best because they can help troubleshoot a problem and ask the "right" questions. The biggest threat is inside job and social engineering.


I think people sees that IT security pays more. Any job with a higher pay comes with bigger responsibilities.

fmitawaps

Thanks, Iris, I thought I wrote about this once before but didn't remember. I just started a new job where some people were talking about network security today and that brought it up in my mind. Security is definitely needed, no doubt about it, I'm just saying I wouldn't want to be the one to have to deal with the hassles when a bad day comes along.

Iristheangel

Well.... you definitely don't want to work with networking, servers, virtualization, or anything important then because when it stops working or you have a bad day, there's going to be a LOT of hassle

Christian.

fmitawaps wrote: »

Thanks, Iris, I thought I wrote about this once before but didn't remember. I just started a new job where some people were talking about network security today and that brought it up in my mind. Security is definitely needed, no doubt about it, I'm just saying I wouldn't want to be the one to have to deal with the hassles when a bad day comes along.

Well, you make it sound so easy, but the reality is that it may be more difficult to assign blame than you think. Let's say your company got compromised and they stole information from your database, with millions of customer's records with private information. Everyone is panicking and the finger pointing begins. You want blood, so, who are you going to make pay for this?

Are you going to fire the DB team because their sa password wasn't too complex? The wintel team because the patches weren't up to date? The compliance team because they stalled this process as there was missing information? The firewall guy as the rule installed was to permissive? The information assurance team because the rule that was approved was too insecure? The application owner that requested to open ports he didn't need? The internal audit team that submitted a report missing key flaws? The software dev team because they had a bug in their code that allowed to gain entry into the company through their web portal? The IPS team because they didn't stop the attack? The cybersoc team that didn't saw a correlation in previous recon attacks? The incident team that never escalated their suspected findings? The network team because they didn't mitigate a vlan hopping exploit? The external audit firm you hired to perform an audit and only found silly things? The user that wrote his password on a sticky note on his cubicle? The AD team that never pushed GPOs to secure servers? I could go on and on..

Of course the real attack could be a lot different, it could be simpler, or way more complex. The key point is that a bad day in security can involve a lot of people, a lot of teams. You might even have to wait some time until you actually find the root cause. Besides all this.. I really doubt any career, profession, or job is stress free and you will be able to avoid having bad days.

OctalDump

Christian. wrote: »

Well, you make it sound so easy, but the reality is that it may be more difficult to assign blame than you think. Let's say your company got compromised and they stole information from your database, with millions of customer's records with private information. Everyone is panicking and the finger pointing begins. You want blood, so, who are you going to make pay for this?

Are you going to fire the DB team because their sa password wasn't too complex? The wintel team because the patches weren't up to date? The compliance team because they stalled this process as there was missing information? The firewall guy as the rule installed was to permissive? The information assurance team because the rule that was approved was too insecure? The application owner that requested to open ports he didn't need? The internal audit team that submitted a report missing key flaws? The software dev team because they had a bug in their code that allowed to gain entry into the company through their web portal? The IPS team because they didn't stop the attack? The cybersoc team that didn't saw a correlation in previous recon attacks? The incident team that never escalated their suspected findings? The network team because they didn't mitigate a vlan hopping exploit? The external audit firm you hired to perform an audit and only found silly things? The user that wrote his password on a sticky note on his cubicle? The AD team that never pushed GPOs to secure servers? I could go on and on..

All those problems! Sounds like a governance issue. Time to call the board and get some new C-levels in.

JoJoCal19

Iristheangel wrote: »

Well.... you definitely don't want to work with networking, servers, virtualization, or anything important then because when it stops working or you have a bad day, there's going to be a LOT of hassle

Hell, I'd say this is more of an issue in networking, servers, and virtualization. Those systems have issues on a regular basis. What's the percentage of companies that have had a major/headlining breach? .01%? .001%? I'd much rather work to prevent an issue at that rate than with systems that can have issues daily.

Danielm7

Iristheangel wrote: »

Well.... you definitely don't want to work with networking, servers, virtualization, or anything important then because when it stops working or you have a bad day, there's going to be a LOT of hassle

Seriously! I do a ton of work in security, but the systems, networking, etc, groups all have a crazy amount of responsibility too. There aren't a ton of jobs in higher level IT that don't carry that sort of weight.

The_Expert

I believe the vast majority of people who want to work in Security just see big $$$. This is true. This field pays very well... However, I stumbled into it by accident.

It is not all what it is cracked up to be. There is a ton of work to do with a lot of responsibility that often times requires a lot of precision. The team I work on puts in more hours than our network guys.

Plus, in security you get to deal with auditors on a regular basis. So much fun!

jamesleecoleman

I just want to help people stay safe.... Thats pretty much the only reason why I'm interested in security.
The money isn't the most important thing to me but it does help out a lot.

I'm not in security work yet but I do think that I would enjoy it. I wouldn't mind explaining the technical stuff to people who didn't understand, it'll just mean that I would have to know things well.

Danielm7

The_Expert wrote: »

I believe the vast majority of people who want to work in Security just see big $$$.

Agree with this as well, or they think everyone is a freelance hacker. The field is so broad it's crazy.

aderon

The global threat landscape is really interesting to me. I find it more interesting to read about than fiction, novels, etc. I see it as entertainment. This has motivated me to learn the technology behind it all so that I can understand the articles better.

I think of it as someone who loves watching movies getting a degree and career in film because they want to be able to appreciate them even more.

NetworkNewb

The_Expert wrote: »

I believe the vast majority of people who want to work in Security just see big $$$. This is true. This field pays very well... However, I stumbled into it by accident.

It is not all what it is cracked up to be. There is a ton of work to do with a lot of responsibility that often times requires a lot of precision. The team I work on puts in more hours than our network guys.

Plus, in security you get to deal with auditors on a regular basis. So much fun!

+1 to this. I think a lot people who think they want to be in security would actually find it a lot more interesting and rewarding to stay in networking or systems/visualization.

markulous

With me personally, I find the field interesting as far as how it's growing and the legalities that are going to be associated with it. I think the tedious work associated with it also is rewarding.

There's money to be made sure, but to me that's never been my #1 motivator for IT. I can probably get a job right now making nearly double what I'm doing but it'd be desktop support. Much less stress and way easier work but that seems pretty counter productive to me.

kohr-ah

markulous wrote: »

There's money to be made sure, but to me that's never been my #1 motivator for IT.

Money is great but I rather have work life balance at a lower salary than higher salary and never see my family.

markulous

Amen to that. Work/life balance and enjoying my job is more important. If you're miserable or can't see your family, what's the point of more money?

networker050184

Security as a buzzword for job seekers seems to have fallen off a bit for cloud lately. It all goes in cycles it seems though. I'm sure everyone will want to be something else in a year or two.

dhay13

I spent a few years in law enforcement and doing armed security. I certainly didn't do it for the pay. I loved providing a service that I felt helped others. I get that feeling again working in the network security field. oh...and the money isn't bad either, but that isn't why i chose it

the_Grinch

Because it's interesting work and you get to touch a lot of different areas (Legal, IT, Executive Management, Compliance).

Any security person worth their salt knows that half their job is about educating their user base and evangelizing security within their organization. To that point, it means we also need to be able to talk to different groups at different levels. Where I can be very technical with the IT team I need to be less technical with Legal and Executive Management. I've reached a point in my agency where I can have what I would say are half-technical conversations with senior management in regards to information security. Are they IT people? Definitely not. Are they complete end users? Not any more. Now with that education and evangelization comes the idea of minimization of risk. We are in the business of minimizing the effects of an incident. Any executive knows you cannot not bring risk to zero and they don't expect that. They expect that what might have been a huge risk was effectively minimize to a small one.

As an example, several months ago we responded to a DDoS related incident. It had a major impact on an organization and that stemmed from a number of issues. Ultimately it was resolved, but management learned that there were steps that needed to be taken so that if it reoccurred the impact would be lessened. They'd be slowed down, but not downed. Through some open source information gathering we learned that there might be another attempt at a DDoS on a particular day and we advised the organization of such. Within out organization there was a question from a senior manager, "if they know steps we're taking to minimize the incident previously won't they go about defeating it?" Excellent question and one that had this occurred two years earlier probably wouldn't have been asked (education). My reply was straight forward, "yes they could most definitely change up their tactic given what they learned previously, but that is a win for us because now they have to utilize tactics outside of their playbook and that leads to a greater chance of mistakes being made." That also allowed me to pull out this pearl of wisdom from Sun Tzu, "The whole secret lies in confusing the enemy, so that he cannot fathom our real intent."

Security is a must and what you'll ultimately learn is you pay now or you pay later, if you pay later it will cost you more. At the same time we, as security professionals, have to understand the business and risk management. If you say no to everything, management will ignore you and not include you later. If you say yes to everything, then you expose yourself and your organization to risk that will cost you your job. Thus your mission is to know the business, hopefully be on the ground floor of new integrations or upgrades, but if not know how to minimize the risks of projects you weren't brought into until they've already begun generating revenue.

I suggest you read The Phoenix Project: A Novel about IT, DevOps, and Helping Your Business Win, in it lies the tools you need to succeed and a great story for anyone who's been in IT.

New2ITinCali

I want to get into security because it's an interesting area of I.T. in my opinion. I tried database management and software development (SQL, ASP.NET) I realized I just did not like it at all! I also tried programming and took a Java course and I also did not like it. I found my niche in networking. I love networking and troubleshooting. The security side of it is what interests me the most. I live in the SF Bay Area, so it's definitely not about the pay because most of the I.T. jobs pay well around here, everything from DBA to Project Manager to Network Administrator. If I worked my way to Network Administrator one day and never obtain my CISSP or security experience, I'm fine with that as well. I just personally believe that cyber security is a very interesting field.

renacido

If you don't want to work in security, that's ok. You do you, I'll do me.

If you think that the security team gets called on the carpet in front of the BoD to be interrogated or shamed, that doesn't happen.

For one, as Iris pointed out, we do the best we can with the resources we are given. Just like systems or networking ensure maximum uptime with the resources they're given. You want 99.999999% availability? Gotta design, build, and pay for it. 100% doesn't exist. Near 100% is very expensive. Same applies to security.

Want security so tight that your systems can't be compromised? Unplug them and bury them in concrete. Want them to be connected and user-friendly and allow many complicated features and have high performance? And not cost a fortune to maintain? then you have to accept a certain amount of security risk. The more complicated the system, the more advanced the threat, the higher the cost of security and the more impact to usability and performance.

The system owner (CEO or CIO usually) determines the acceptable level or residual risk, and accepts that risk. They determine that on the value of the asset (information, system, line of business, etc) vs the cost of securing the asset against the known threat environment. The security dept provides the strategy, makes recommendations, implements and directs security efforts, etc. But they don't accept the risk. We don't have unlimited budgets and security has to be balanced with usability, utility, and performance.

Why do I work in infosec? Because I love it, it's fascinating to me, and it pays well. Why wouldn't I?

UnixGuy

Hey OP why work anyway? It's stressful

kohr-ah

UnixGuy wrote: »

Hey OP why work anyway? It's stressful

It's the only way I can pay for my hooch

@fmitawaps We have a security team where I work and I am partially involved in it as well. I am glad I have them. They have a job that I wouldn't want full time because they analyze logs procedures, zero days, and all kinds of stuff in the world of technology. They are a blessing to me though because I don't have to do this research and they go "Hey Kohr-Ah. I have this issue I found going on that I think we may be susceptible to can you check it out?"

I get to research their finding real quick, harden my systems, and everyone wins. I've seen bad stuff come and yeah. Sr Management did pull us in a room. They explain what they found. I explain what that means. We all work for a collaberation. Know why they are in the room with us? Cause it all comes down hill. They are getting chewed out every level above them and they want us to make it stop.

Rumblr33

I am not sure where you are located but my team is looking for interns that are interested in security, particularly incident response and have only found 1 out of 15 candidates interviewed that are seriously interested. We hired her. The security field has quite a few areas of interest, where people can specialize. I recently was promoted from our helpdesk to the CSIRT team and I received a 35k pay raise. The money is great but if you are interest in staying in the know when it comes to cyber threats and continually learning, the InfoSec field will not suit you. I love it, sometimes it can be monotonous and sometimes it's a non-stop action packed thrill.

anhtran35

fmitawaps wrote: »

Thanks, Iris, I thought I wrote about this once before but didn't remember. I just started a new job where some people were talking about network security today and that brought it up in my mind. Security is definitely needed, no doubt about it, I'm just saying I wouldn't want to be the one to have to deal with the hassles when a bad day comes along.

No OFFENSE; however, MAN THE "F" up and be a man. Otherwise you can cower over the corner and live your life as a PUSSY.