Are Security Careers Real?



  • I have a follow up question.

    Security of what? People say security but I think the bigger question is, how is the company defining security. Because security from one company to the next might mean 2 different things.

    One company might focus on HIPPA compliance while the other one is more concerned about what their employees are doing over lunch break. Each of those require people with totally different talents. At least in my opinion.



  • @bbiAngie said:

    One company might focus on HIPPA compliance while the other one is more concerned about what their employees are doing over lunch break. Each of those require people with totally different talents. At least in my opinion.

    I don't think that HIPAA is normally considered security. I've worked in HIPAA and it is normally considered a compliance topic rather than security. Your focus is not about actually securing things but simply meeting compliance requirements. Related in a way, but not the same focus.



  • @scottalanmiller said:

    @bbiAngie said:

    One company might focus on HIPPA compliance while the other one is more concerned about what their employees are doing over lunch break. Each of those require people with totally different talents. At least in my opinion.

    I don't think that HIPAA is normally considered security. I've worked in HIPAA and it is normally considered a compliance topic rather than security. Your focus is not about actually securing things but simply meeting compliance requirements. Related in a way, but not the same focus.

    I get what you are saying, but often when you are meeting the requirements, you are securing your digital assets. I was more or less saying that each company defines security differently. Because of that it makes it hard to define what exactly a security career might be.



  • @bbiAngie said:

    I get what you are saying, but often when you are meeting the requirements, you are securing your digital assets. I was more or less saying that each company defines security differently. Because of that it makes it hard to define what exactly a security career might be.

    Every IT job does security. The different, one hopes, in a security role is that your goal is security. In a HIPAA role security might be a byproduct, but it is not the goal. Compliance is the goal If you are doing HIPAA work your goal is to survive an audit, secure or not, and if you have to decide between securing something and meeting compliance you choose the insecure compliant route.

    I don't think that it really convolutes things. If your career is about security, that's a security career. HIPAA work is all about compliance.



  • PCI Compliance is another good example. The theory is that PCI will make you secure, but it does not. I've seen, recently in fact, PCI work create security problems through bad practices, false sense of security, etc. The PCI work is purely about the compliance and totally ignores security except as a possible, and not consistent, byproduct of the compliance.

    It's not unlike redundancy and reliability, in theory people would be working on reliability for their business but often are lost in looking at redundancy and actually end up losing reliability through focusing on the wrong thing. Compliance work puts security at risk by prioritizing something extra that isn't security in its own right.



  • Sorry to dig this up, but what is wrong with Security +?



  • @IRJ said:

    Sorry to dig this up, but what is wrong with Security +?

    Who said that there was? What is the context of the question?



  • @Dashrender said:

    @thecreativeone91 said:

    I interviewed for a security job a while back, much of it was under NDA so I can't say anything specifically about what they wanted. The only thing I can say is the main thing they were looking for was someone with a Security+ (dumb) and I declined further interviews/processing with the process after the first one.

    A security job where they even bothered to mention Security+, no wonder you walked away.

    @scottalanmiller



  • @IRJ said:

    @Dashrender said:

    @thecreativeone91 said:

    I interviewed for a security job a while back, much of it was under NDA so I can't say anything specifically about what they wanted. The only thing I can say is the main thing they were looking for was someone with a Security+ (dumb) and I declined further interviews/processing with the process after the first one.

    A security job where they even bothered to mention Security+, no wonder you walked away.

    @scottalanmiller

    Oh. That's not that the Sec+ is bad, it is that it isn't a cert for a security job. Security+ is just baseline security knowledge that everyone in IT "should" have, not enough to even talk about a security job. Like having a Network+, it's good for showing that you have baseline knowledge, but if someone had a Cisco Engineering job and they required a Net+, of course you know not to take it seriously. Not because the Net+ is bad, but because "baseline knowledge for normal IT pros" as a requirement for a "specialist" job means that the job is a scam - either completely fake or the hiring manager isn't qualified to talk about it.

    I have the Sec+, it's fine. It's a great "add on" to other certs to demonstrate that you have a good, general knowledge of IT security but nothing more. It's stuff that really everyone should know, but not everyone has demonstrated. In non-security jobs, it should be looked on as some "icing" on your resume. To a security job, it should be ignored as it is assumed that even an entry level security job would have vastly more knowledge than that.



  • Think of the Sec+ as "Security for Non Majors". Great to show that you care and are interested and making an effort. But if you are majoring in Security, you'd better be taking harder classes 🙂



  • That makes sense. What do you think about CISM and CEH?



  • @IRJ said:

    That makes sense. What do you think about CISM and CEH?

    Slightly different. CEH isn't direct security, it's more specialized for a security related, but not normal security oversight role. I don't know how good it is, but it's the standard for EH so... there's that.

    CISM I believe is good, but again, a little outside my ken. It and the CISSP have decent reputations.

    The big question becomes, do they hold career value? And that I cannot answer.



  • @scottalanmiller said:

    @IRJ said:

    That makes sense. What do you think about CISM and CEH?

    Slightly different. CEH isn't direct security, it's more specialized for a security related, but not normal security oversight role. I don't know how good it is, but it's the standard for EH so... there's that.

    CISM I believe is good, but again, a little outside my ken. It and the CISSP have decent reputations.

    The big question becomes, do they hold career value? And that I cannot answer.

    On paper, maybe they do. If you are in IT you have been dealing with security your whole career. It is just part of the job.



  • @IRJ said:

    On paper, maybe they do. If you are in IT you have been dealing with security your whole career. It is just part of the job.

    Exactly, I've almost never encountered a pure security role. When I have (including being the hiring manager for forty six figure and seven figure security positions) they were never "security" people, but just good IT people. If someone's focus is security, I assume they didn't have time to do IT, which means they can't do security. Catch-22. It's just good IT people that you need for security. When global security teams from Fortune 20 security consultancies go looking for seven figure security people, they don't look for any cert at all. They look for skilled, experienced people.



  • @scottalanmiller said:

    @IRJ said:

    On paper, maybe they do. If you are in IT you have been dealing with security your whole career. It is just part of the job.

    Exactly, I've almost never encountered a pure security role. When I have (including being the hiring manager for forty six figure and seven figure security positions) they were never "security" people, but just good IT people. If someone's focus is security, I assume they didn't have time to do IT, which means they can't do security. Catch-22. It's just good IT people that you need for security. When global security teams from Fortune 20 security consultancies go looking for seven figure security people, they don't look for any cert at all. They look for skilled, experienced people.

    I am sure it doesn't hurt to add it to my list of certs. I still need my boss to approve one of my courses.



  • Following up on this... eight months later and I continue to talk to people who want to, are studying for or are looking for work in security, especially in "ethical hacking." Yes, not one has told me that they found work yet. Maybe some have and not mentioned it, but as this seems to represent more than 50% of all people going into tech jobs, it would logically represent a lot of hiring if it existed.

    Anyone know anyone who has gotten work in this area?



  • I know one.



  • @Carnival-Boy said in Are Security Careers Real?:

    I know one.

    Any details? What kind of security job was it? What level? Did he search long? Was he a newbie or heavily experienced?



  • No, it was a guy that used to work for our MSP who was really in to security, and I got told one day he quit the MSP and got a job for a security firm in the City. Dunno more than that.



  • @Carnival-Boy said in Are Security Careers Real?:

    No, it was a guy that used to work for our MSP who was really in to security, and I got told one day he quit the MSP and got a job for a security firm in the City. Dunno more than that.

    Oh okay. Well, it's something.

    I've known one or two people in security jobs so we can extrapolate that at some point they were hired into those jobs. But it was very few people and the jobs never seem to turn over.



  • Well from what I've seen with the IT Security people I've dealt with so far, you just need to be able to read a PDF of rules/guidelines and then tell the people who actually build and administer the stuff what they are and aren't allowed to do. But purely based off of that PDF or document, and with no rational thinking.

    These security people were not previously real IT, but are just IT Security.



  • @Guest said in Are Security Careers Real?:

    @scottalanmiller said:

    Everyone and their brother is a "security expert" today. All of them working at McDonalds.

    Or a computer repair shop but, the pay is likely about the same.

    Nah, Mc****alds pays way more.



  • I've seen contracted IT work for 6-month terms but nothing full-time. I think Chase hires a lot of them. I'm sure some other banks do as well.



  • @wirestyle22 said in Are Security Careers Real?:

    I've seen contracted IT work for 6-month terms but nothing full-time. I think Chase hires a lot of them. I'm sure some other banks do as well.

    What kinds of positions? Having worked for those big banks, it's extremely rare. I've seen zero of that internally.



  • @scottalanmiller said in Are Security Careers Real?:

    @wirestyle22 said in Are Security Careers Real?:

    I've seen contracted IT work for 6-month terms but nothing full-time. I think Chase hires a lot of them. I'm sure some other banks do as well.

    What kinds of positions? Having worked for those big banks, it's extremely rare. I've seen zero of that internally.

    Security Analyst I, II, III etc. Auditing essentially.



  • @wirestyle22 said in Are Security Careers Real?:

    @scottalanmiller said in Are Security Careers Real?:

    @wirestyle22 said in Are Security Careers Real?:

    I've seen contracted IT work for 6-month terms but nothing full-time. I think Chase hires a lot of them. I'm sure some other banks do as well.

    What kinds of positions? Having worked for those big banks, it's extremely rare. I've seen zero of that internally.

    Security Analyst I, II, III etc. Auditing essentially.

    Okay, we don't generally consider those to be security OR IT jobs. That would explain it. Yes, I've seen tons of those in the banks. They are secretarial level jobs. The people doing them literally don't know how anything works. We would get questions like "why do we use SSH" or "can we prove Active Directory is useful."

    Those are actually great examples of my point.... they appear to be security and/or IT jobs until you actually look and realize that are not actually a part of either discipline (normally.) Auditors are low cost, untrained people who do reports for checkmarking insurance or similar requirements. They are actually enemies to the security team. We've had the auditors try to have us disable security systems before.



  • The IT Security field has blown up recently and yes you can definitely make a career out of security and not be an auditor. I did learn that there are IT security people who essentially Auditors and then you have people like me that do hacking and penetration testing. Penetration Testing takes real skills and real knowledge of various Operating Systems, network devices, and protocols.



  • There is a program called CyberPatriot that is teaching kids in middle and high school cyber security. The idea behind this is that we are not creating the correct IT workforce needed to fill these jobs or so the people pitching the program (and LAUSD) say. I would love to hear @scottalanmiller talk to them about what he has seen in the industry.



  • @SamieWalters said in Are Security Careers Real?:

    There is a program called CyberPatriot that is teaching kids in middle and high school cyber security. The idea behind this is that we are not creating the correct IT workforce needed to fill these jobs or so the people pitching the program (and LAUSD) say. I would love to hear @scottalanmiller talk to them about what he has seen in the industry.

    I think that security training is awesome and that we need tons more of that. But that it needs to be something that everyone does rather than making loads of specific roles around it. As long as security is something that "someone else" does, we won't be very secure.



  • A co-worker stopped me this morning to tell me that her relative who works at local finance place is requiring their HR people to give their usernames/passwords to all of the other HR members so "things can get done" when they are not in the office. Total fail.

    I wanna say she said it was Ameritrade, but I could be wrong.


Log in to reply