If you work in InfoSec what is your job like?

JaneDoe

I already think like a security professional. I love reading security blogs. I run a small network and I consider security in all the decisions I make for it. When I work with people who don't take security as seriously as I do I feel like a neat freak sharing a room with a slob.

I used to think there was no way I'd go into InfoSec because I don't want to work for a bank or the military, and because I don't want to be the facebook police. Now I'm starting to reconsider that position because I don't want to be the junior admin biting my tongue while I watch to the senior admins log into the network remotely via telnet, or do something else equally stupid.

If you work in InfoSec what is your job like? Do you like it? What jobs are there in InfoSec that don't require working for a bank or the military/NSA?

NovaHax

I am a security consultant in the Washington DC area. My job mostly consists of penetration tests, security audits and compliance assessments.

phoeneous

NovaHax wrote: »

I am a security consultant in the Washington DC area. My job mostly consists of penetration tests, security audits and compliance assessments.

That's badass.

wes allen

I do mostly IDS/IPS/SIEM/NGFW type work, with a few security side projects here and there for KY State Gov. Pretty much any enterprise network has dedicated security roles these days. Many smaller orgs also have either dedicated security people, or mostly security with a liitle bit of networking on the side roles. Plus a lot of roles with consulting and Pre Sales as well. So, while banks and military might have a lot of infosec people, there are still plenty of roles outside of those two.

JaneDoe

NovaHax wrote: »

I am a security consultant in the Washington DC area. My job mostly consists of penetration tests, security audits and compliance assessments.

How do you like it? Do you think that's a good career direction?

NovaHax

Personally, I love it. Writing reports isn't so fun. But the actual pentesting is awesome. Its a great job for anyone who loves constantly being challenged. As fast as the security climate is constantly changing, it seems like you can never fully catch up. But constantly learning new things.

The job has good perks too.

1. I mostly get to work from home. Most people have dress codes. I can sit at home without even wearing pants and break into a client's servers and devices.

2. Almost unlimited funding for training and professional development

3. Good amount of travel

4. Conventions like Blackhat, DEFCON, etc... every year

atx1975

Like Wes Allen said.......I install, configure and monitor anything to do with Enterprise Infrastructure Security Devices from Fw's, IPS's, SIEM, 2 factor authentication, database monitoring, WAF and a few security side projects.

JaneDoe

NovaHax, your job sounds like a lot of fun.

docrice

JaneDoe wrote: »

I already think like a security professional. I love reading security blogs. I run a small network and I consider security in all the decisions I make for it. When I work with people who don't take security as seriously as I do I feel like a neat freak sharing a room with a slob.

You seem to be a wolf among the sheep, with senses that others don't dare to leverage, and scrutiny which surpasses the shallow consciousness of those around you. It is a sign.

JaneDoe wrote: »

I used to think there was no way I'd go into InfoSec because I don't want to work for a bank or the military, and because I don't want to be the facebook police. Now I'm starting to reconsider that position because I don't want to be the junior admin biting my tongue while I watch to the senior admins log into the network remotely via telnet, or do something else equally stupid.

Security is everywhere and becoming more noticed in today's age of compliance, regulation, and headline breaches occurring on a regular basis. It's certainly not just banks and military organizations who have infosec teams. But it's always a balance between business priorities, risk assessment, and the risk trade-offs the business leaders are willing to make. Recognizing what those trade-offs are and implementing controls and doing the necessary auditing is where a good bulk of the work comes into play. And many times, security is embedded into the fabric of normal duties like administering infrastructure, although depending on the organization sometimes it's handled by a dedicated staff.

JaneDoe wrote: »

If you work in InfoSec what is your job like? Do you like it? What jobs are there in InfoSec that don't require working for a bank or the military/NSA?

It is busy. If you're on defense, you will never have enough hours to cover all the cracks in the hull of a seemingly-sinking ship. Your skills will never be sharp enough, you will always be outgunned, internal politics will be against you because you're an (unfortunately-necessary) cost-center, and you always need more data to detect, correlate, pivot, and chase the bogies down ... only a few of which you'll catch.

The ocean is wide, deep, and there's a thriving ecosystem waiting to be discovered at every turn. While it's easy to get burned out, if you like opening your eyes to more and more things and go exploring into that dark cave, this is it.

Unless you work in a completely air-gapped environment with little social contact to the outside world, the Internet is always attacking you non-stop over copper, fiber, and air. We're still in a wild west age and it's only getting more complex with business relationships that inter-weave at multiple levels, communication protocols that get developed weirder as time goes on, security products that are increasingly more complex and invasive (and typically over-sold and under-delivered), and almost no one really understands the scope of how bad it is.

So yes, I like it. I'm primarily on the firewall/intrusion detection/log-watching/config-auditing/incident response/traffic profiling/vuln scanning/device hardening/product-evals/whatever-else-is-thrown-at-me side of things. I work for a security vendor, so I get a decent training budget and while that sounds luxurious, I also simply have less and less time to enjoy such things. I also go to RSA, DEFCON, and Black Hat every year as part of my job, but I also have a very demanding schedule which leaves me with time for little else in life.

Deliverables, deliverables, deliverables, deliverables. Sing it with me.

Sniffing packets is like cocaine. Your eyes open wider when you discover what's under the microscope.

JaneDoe

docrice wrote: »

It's always a balance between business priorities, risk assessment, and the risk trade-offs the business leaders are willing to make. Recognizing what those trade-offs are and implementing controls and doing the necessary auditing is where a good bulk of the work comes into play.

I get that. My favorite is the self defeating security mechanisms. The assigned 15 character random passwords that changes every 30 days (and is written on the monitor), especially when this is required for non-administrative functions and the data that isn't sensitive.

If a business needs a terminal in the hall for visitors to check email that isn't password protected? That's great, it means those visitors won't be begging staff to use their PCs for basic tasks, while using a staff member's PC would allow them access to sensitive information the guest terminal won't allow access to.

paul78

JaneDoe wrote: »

I already think like a security professional. I love reading security blogs. I run a small network and I consider security in all the decisions I make for it. When I work with people who don't take security as seriously as I do I feel like a neat freak sharing a room with a slob.

IMO - Having a healthy dose of paranoia and good sense of awareness is paramount to be being a good infosec professional. If you think that you process those traits, then absolutely, you should definitely pursue that career track. From your other postings, you seem like the inquisitive-type which is also a good trait for someone that ones to be an infosec professional. Good Luck!

JaneDoe wrote: »

I used to think there was no way I'd go into InfoSec because I don't want to work for a bank or the military...

I can't speak about government roles, but lots of different types of private sector companies need good infosec professionals. Although my background is primarily in financial services, there are many sectors that require strong infosec practices. For example, health care where privacy of consumer protected health information is mandated, many retail companies that handle credit card information, and even manufacturing companies that deal with security of their supply chain.

JaneDoe wrote: »

If you work in InfoSec what is your job like? Do you like it?

I play a leadership role so my own job is highly diverse. But generally speaking, its about driving initiatives and setting strategy. What do I like about my job? Good question which I don't have an answer. I suppose I like the diversity of the role and contributing to the building of a successful business.

NightShade03

I'm probably a little different than most since I work on the technical sales side of the house (pre-sales). While I know everyone hates sales people (I do sometimes as well), my job is super challenging and fun. I get to meet a ton of different clients across all industries, see what different environments/networks are like, and constantly design solutions that are so different for every organization. Like everyone else I will agree report writing and statements of work suck to write. On the flip side though this job has a ton of perks:

• Great salary
• Work from home 75% of the time
• Unlimited expenses
• Unlimited training
• All the tech toys I want to play with since we have hundreds of partners we work with

I will say that you constantly have to be on your toes though. I could be in one meeting talking about firewalls, the next meeting talking about application pen testing, and the next meeting discussing analytics. Definitely need to start ahead of the curve.

YFZblu

docrice wrote: »

It is busy. If you're on defense, you will never have enough hours to cover all the cracks in the hull of a seemingly-sinking ship. Your skills will never be sharp enough, you will always be outgunned, internal politics will be against you because you're an (unfortunately-necessary) cost-center, and you always need more data to detect, correlate, pivot, and chase the bogies down ... only a few of which you'll catch.

The ocean is wide, deep, and there's a thriving ecosystem waiting to be discovered at every turn. While it's easy to get burned out, if you like opening your eyes to more and more things and go exploring into that dark cave, this is it.

/thread - This is spot on.

The only thing I'll add, is the OP's "x will do something equally stupid" statement stood out to me. People in this field already tend to carry miserable attitudes around because of docrice's sentiments above. Dedicated security folks get frustrated, and for good reason.

That being said, try your best not to slip into that type of attitude, especially before you get into the field. I have my own struggles with it now, and I make a point not to be negative. I find faking positivity is too exhausting in some situations - rather, being open and informative is a better course of action. For those unwilling to cooperate, instead of getting upset, it is much more efficient to have isolation / access removal controls in place to entice more favorable action on the part of Users, devs, techs and admins.