Are Security Careers Real?



  • @thecreativeone91 said:

    I interviewed for a security job a while back, much of it was under NDA so I can't say anything specifically about what they wanted. The only thing I can say is the main thing they were looking for was someone with a Security+ (dumb) and I declined further interviews/proceeding with the process after the first one.

    Any company under NDA is using security through obscurity. The NDA is enough to make me walk away. This is why I decline to even talk to Google - they've failed the hiring process before we even talk in person because their NDA flags them as way too low end to even warrant a discussion.



  • @scottalanmiller said:

    @thecreativeone91 said:

    I interviewed for a security job a while back, much of it was under NDA so I can't say anything specifically about what they wanted. The only thing I can say is the main thing they were looking for was someone with a Security+ (dumb) and I declined further interviews/proceeding with the process after the first one.

    Any company under NDA is using security through obscurity. The NDA is enough to make me walk away. This is why I decline to even talk to Google - they've failed the hiring process before we even talk in person because their NDA flags them as way too low end to even warrant a discussion.

    Yep, I will never do an interview under NDA again.



  • I think for most folks they wind up being thrust into that position. At my last job, I had to learn pretty much learn things as I went. Not that security was an after thought, but as I'd learn something new for another project, I would go back and apply those same security principles to past projects and servers.



  • @thecreativeone91 said:

    Yep, I will never do an interview under NDA again.

    Or if you do, you won't tell us 😉



  • @dafyre said:

    I think for most folks they wind up being thrust into that position. At my last job, I had to learn pretty much learn things as I went. Not that security was an after thought, but as I'd learn something new for another project, I would go back and apply those same security principles to past projects and servers.

    Yup, I've been put in security roles, but it was a role, not a career path. It didn't come from something else, it didn't lead to something else.



  • @dafyre said:

    I think for most folks they wind up being thrust into that position. At my last job, I had to learn pretty much learn things as I went. Not that security was an after thought, but as I'd learn something new for another project, I would go back and apply those same security principles to past projects and servers.

    I have that happen before being put in it. I was put in the position at the county. and Security WAS an afterthought. Heck when I started it there it was server 2000 domain with the main DC having a 1:1 Nat mapping on it with no firewall in between, you could authenticate to it from home.. And the DC was a Terminal Server too!



  • @thecreativeone91 *me runs away and hides.



  • Security I thought was a real golden ticket at first, then you realize that if someone wants in they'll win eventually, no matter what you do. I don't like to lose and that'd be a struggle for me.



  • @MattSpeller said:

    Security I thought was a real golden ticket at first, then you realize that if someone wants in they'll win eventually, no matter what you do. I don't like to lose and that'd be a struggle for me.

    That and everyone thinks that it is a golden ticket. Like any "popular" career, that forces it to be the entry level work. Everyone and their brother is a "security expert" today. All of them working at McDonalds.



  • And most companies do not care about security unless it costs them a lot, but then they still don't care about it or your data; They just care about the financial implications of it.



  • @scottalanmiller said:

    Everyone and their brother is a "security expert" today. All of them working at McDonalds.

    Or a computer repair shop but, the pay is likely about the same.



  • @thecreativeone91 said:

    @scottalanmiller said:

    Everyone and their brother is a "security expert" today. All of them working at McDonalds.

    Or a computer repair shop but, the pay is likely about the same.



  • @thecreativeone91 said:

    @dafyre said:

    I think for most folks they wind up being thrust into that position. At my last job, I had to learn pretty much learn things as I went. Not that security was an after thought, but as I'd learn something new for another project, I would go back and apply those same security principles to past projects and servers.

    I have that happen before being put in it. I was put in the position at the county. and Security WAS an afterthought. Heck when I started it there it was server 2000 domain with the main DC having a 1:1 Nat mapping on it with no firewall in between, you could authenticate to it from home.. And the DC was a Terminal Server too!

    Nice! I've seen that setup before (and no, I wasn't the one who put it in :P)



  • @thecreativeone91 said:

    And most companies do not care about security unless it costs them a lot, but then they still don't care about it or your data; They just care about the financial implications of it.

    Ain't this the gal darn truth!

    Security is entirely to inconvenient, and until it really starts costing them due to things like breaches, most just can't be bothered with the inconvenience.



  • @Dashrender said:

    Security is entirely to inconvenient, and until it really starts costing them due to things like breaches, most just can't be bothered with the inconvenience.

    And this is why I don't sign up for points cards of any kind & am generally careful with my info



  • @MattSpeller said:

    @Dashrender said:

    Security is entirely to inconvenient, and until it really starts costing them due to things like breaches, most just can't be bothered with the inconvenience.

    And this is why I don't sign up for points cards of any kind & am generally careful with my info

    Points cards, etc themselves can't harm you, at least I can't think of how they could. If you use the same password for your points cards as you do for say email or paypal... well then when the points system gets hacked so does your email/paypal, etc.

    As long as those programs only want my already publicly available information (name, address, phone number) and nothing else.. I'm fine with them.



  • @scottalanmiller said:

    I know that there are some security specialty shops out there (I've been asked to lead teams for one of them.) But even big ones that I have worked with just use skilled "normal" IT people, not "security" specialists.

    I would have thought that a good security guy is a good generalist as you need to have a good understanding of all applications in order to gain a good understanding of where those application vulnerabilities lie. For example, you need a modest understanding of SQL in order to understand SQL vulnerabilities like SQL injection. So if I was forming a crack team of security experts I'd want a SQL guy, a web guy, a Windows guy etc etc. A bit like the A-team, with BA Baracus as my Windows guy.



  • @Carnival-Boy said:

    @scottalanmiller said:

    I know that there are some security specialty shops out there (I've been asked to lead teams for one of them.) But even big ones that I have worked with just use skilled "normal" IT people, not "security" specialists.

    I would have thought that a good security guy is a good generalist as you need to have a good understanding of all applications in order to gain a good understanding of where those application vulnerabilities lie. For example, you need a modest understanding of SQL in order to understand SQL vulnerabilities like SQL injection. So if I was forming a crack team of security experts I'd want a SQL guy, a web guy, a Windows guy etc etc. A bit like the A-team, with BA Baracus as my Windows guy.

    I agree, if you are assembling a crack security team. Take a high level person from each IT discipline that applies (UNIX, Windows, Cisco, Software Engineering, Desktop Support, User Training, Telephony, Pen Testing, Social Engineering, Oracle, etc) that also have a strong understanding and penchant for security and put them together into a security oversight and think tank group.

    But you have to be a huge company to shoulder the cost of a dozen or more most senior people and to have them all working in roles that are "non-productive" (we know security is productive, but you know what I mean - not producing something that people use.) And even if you do this, is this better than having the normal teams dealing with security? Maybe, maybe not. If security is everyone's job, do you need a department to do it too? If you have a department, does it make the normal teams slack off as they don't feel that they need to take responsibility?

    It seems like the idea of a security "team" isn't a job one but a psychology one. A team is created because you don't trust the standard teams to be secure and feel it is better to have security be something "someone else does" rather than "something everyone does." It requires hiring a special team of top people rather than having your normal teams be better. If a company was failing to hold the standard teams accountable, why would they manage to hold the security team accountable? If accountability is shunted off to somewhere else, does that create conflicts, competition, "not my job" syndrome or just laziness as one team assumes it is another job and the other hopes that the original team did smart things as the security team can't oversee everything?



  • I see, and I think nearly all companies do too which is why these job roles pretty much don't exist in the real world, it as the Conscious problem: It is better to build a fence on top of a hill than a hospital below it.

    Having a security team is like a hospital, dealing with security after a failure. Having security be a part of what everyone does, every day and everyone is responsible is like having a good fence. Prevent problems simply, at the source rather than waiting for the main people to fail and hoping that a crack team catches their mistakes before outsiders catch them.



  • I have a friend who did the security thing in school. He was leader of a team of finalists for a security competition in Virginia, don't remember the name but it was pretty interesting to watch. He was hired directly out of school and works for a huge security firm just outside of DC which contracts to a few of the three letter agencies.

    He was hired at basically minimum wage, or close enough, and was expected to live in one of the more expensive areas of that area. The good news... he loves his job... although he has no savings and has had to defer his loans a few times.



  • @coliver said:

    I have a friend who did the security thing in school. He was leader of a team of finalists for a security competition in Virginia, don't remember the name but it was pretty interesting to watch. He was hired directly out of school and works for a huge security firm just outside of DC which contracts to a few of the three letter agencies.

    He was hired at basically minimum wage, or close enough, and was expected to live in one of the more expensive areas of that area. The good news... he loves his job... although he has no savings and has had to defer his loans a few times.

    So good news is, these jobs do exist in small quantities - which we knew since I've had to assemble a team of thirty for one of them in the past.

    But the bad news is, as suspected in a market that is dramatically over saturated, only the best of the best can get those jobs and even they make peanuts because there is a hundred out of work people willing to do that job for less for every person that gets hired.



  • @coliver said:

    He was hired directly out of school and works for a huge security firm just outside of DC which contracts to a few of the three letter agencies.

    I've worked for a firm that brings in the IT directors from those same agencies and their security chiefs as consultants and told us that while what they told us was interesting and worth learning from, the real benefits were just in knowing where the minimum bar was and never to accept what those three letter agencies did as "security guidance" as they were not on par with us and we were expected to be secure to a much higher standard. 🙂





  • I have a follow up question.

    Security of what? People say security but I think the bigger question is, how is the company defining security. Because security from one company to the next might mean 2 different things.

    One company might focus on HIPPA compliance while the other one is more concerned about what their employees are doing over lunch break. Each of those require people with totally different talents. At least in my opinion.



  • @bbiAngie said:

    One company might focus on HIPPA compliance while the other one is more concerned about what their employees are doing over lunch break. Each of those require people with totally different talents. At least in my opinion.

    I don't think that HIPAA is normally considered security. I've worked in HIPAA and it is normally considered a compliance topic rather than security. Your focus is not about actually securing things but simply meeting compliance requirements. Related in a way, but not the same focus.



  • @scottalanmiller said:

    @bbiAngie said:

    One company might focus on HIPPA compliance while the other one is more concerned about what their employees are doing over lunch break. Each of those require people with totally different talents. At least in my opinion.

    I don't think that HIPAA is normally considered security. I've worked in HIPAA and it is normally considered a compliance topic rather than security. Your focus is not about actually securing things but simply meeting compliance requirements. Related in a way, but not the same focus.

    I get what you are saying, but often when you are meeting the requirements, you are securing your digital assets. I was more or less saying that each company defines security differently. Because of that it makes it hard to define what exactly a security career might be.



  • @bbiAngie said:

    I get what you are saying, but often when you are meeting the requirements, you are securing your digital assets. I was more or less saying that each company defines security differently. Because of that it makes it hard to define what exactly a security career might be.

    Every IT job does security. The different, one hopes, in a security role is that your goal is security. In a HIPAA role security might be a byproduct, but it is not the goal. Compliance is the goal If you are doing HIPAA work your goal is to survive an audit, secure or not, and if you have to decide between securing something and meeting compliance you choose the insecure compliant route.

    I don't think that it really convolutes things. If your career is about security, that's a security career. HIPAA work is all about compliance.



  • PCI Compliance is another good example. The theory is that PCI will make you secure, but it does not. I've seen, recently in fact, PCI work create security problems through bad practices, false sense of security, etc. The PCI work is purely about the compliance and totally ignores security except as a possible, and not consistent, byproduct of the compliance.

    It's not unlike redundancy and reliability, in theory people would be working on reliability for their business but often are lost in looking at redundancy and actually end up losing reliability through focusing on the wrong thing. Compliance work puts security at risk by prioritizing something extra that isn't security in its own right.



  • Sorry to dig this up, but what is wrong with Security +?



  • @IRJ said:

    Sorry to dig this up, but what is wrong with Security +?

    Who said that there was? What is the context of the question?


Log in to reply