Rabu, 12 Agustus 2009

Thoughts on Security Careers

Several recent blog posts have discussed security careers. I'll start with Anton Chuvakin's post A Myth of an Expert Generalist:

Lately I’ve run into too many people who [claim to] “know security” or are [claim to be] “security experts.” Now, as some of you recall, I used to do theoretical particle physics before I came to information security. In my physics days, I’d be pretty shocked if I were to meet a colleague in the hallways of the C.N. Yang Institute for Theoretical Physics who would self-identify as “a scientist” or, for that matter, even as “a physicist.” It is overwhelmingly more likely that he would say “quantum chromodynamics” or “lepton number violation in electroweak gauge theories” or “self-ionization of the vacuum” or some such fun thing...

I think this has a lot to do with the fact that the area of security is too new and too fuzzy. However, my point here is that a little common sense goes a long way even at this stage of our industry development. In light of this, next time you meet “a security expert,” ask him what is his area of expertise. If the answer is “security”, run!

Finally, career advice for those new to information security: don’t be a generalist. If you have to be a security generalist, be a “generalist specialist;” namely, know a bit about everything PLUS know a lot about something OR know a lot about “several somethings.” If you ONLY know “a bit about everything,” you’d probably die hungry...


Those are interesting insights. I agree with Anton's characterization of the field as being "too new." Theoretical physics is well over a hundred years old, while digital security is about forty years old.

Jeff Snyder's Security Recruiter Blog posted two good stories recently. The first is Hiring: Why Some Security Jobs Go Unfilled:

I started thinking about why some jobs are open for so long or go unfilled entirely...

A company recently sent a Security Analyst / Security Engineer job description to me for my review. They’ve had the job posted to major job boards for months but can’t seem to find the right person. As I studied the description, I quickly recognized that they were looking for at least two and possibly three different skill sets that typically don’t fit together in one person’s resume.

I pondered why they would create such a difficult expectation that essentially set them up to fail in their quest to find the right security job candidate... [C]ompanies across the nation is a significant squeezing of the belt. CISOs are pressured to deliver more results with less resources. Security professionals have to wear more hats than ever before and they have to be great at nearly everything they do in order to capture the most appealing jobs...

Recruiters don’t create candidates, we find those who already exist. If the person a company wants to hire doesn’t exist or doesn’t exist very often, I may be staring at a search that is set up to fail.


I agree with that statement too, but this idea of wearing so many "hats" is a recipe for failure. Most security people can't keep up with one aspect of the industry, let alone multiple aspects. I wrote about this issue several years ago in More Unrealistic Expectations from CIOs when I raged against the idea of a "multitalented specialist."

My third post again comes from Jeff Snyder, in Conversation: With a CIO regarding his Security Staffing:

The CISO was explaining his company’s need to cut back on staffing levels... [S]omeone came up with the idea that this CIO's company could live with one less information security professional.

As of now, they have one security professional who does security analysis and project management work but not a lot of what he does is considered deeply hands-on technical work.

The other security professional on this CIO's staff is a hands-on technical professional who has very deep technical skills but he is not strong with regulatory compliance, risk management work or work that requires strong interpersonal skills...

My recruiting partner and the CIO came to the conclusion that both security professionals might have to go in order to hire someone who had a broader skill set that included both the business / risk / interpersonal skills and the deeply technical components all wrapped up in one person’s security / technology risk management skill set...

Security professionals in both the present and the future need to bring broad skill sets to prospective employers in order to satisfy the growing demands found in hiring manager’s job descriptions.


Wow. That is a recipe for disaster. Lay off two people who already understand the business in order to replace them with one newbie who is expected to do both jobs? Isn't that the unrealistic expectations problem cited in Jeff's first post?

0 komentar:

Posting Komentar