Today, several folks have tweeted & retweeted about an article written by "Adriano" at MyInfoSecJob.com. The original article may be read here: http://www.myinfosecjob.com/2011/08/6-reasons-why-you-should-not-work-with-information-security/
I'm not sure if the original post was meant to be funny or cynical. If it was, the intention did not translate very well into text.
I have been working as an infosec professional both in the public and private sector for over 10 years. I am by no means "seasoned" or an expert in anything. I've seen a lot of things, worked with a lot of people, and had my share of experiences both good and bad. I can't say that any of the points made in the original post ring true for me at any point in my career. I also think that the topics discussed can easily apply to anyone in any field of the service industry.
I will address each of the original topics one-by-one and provide my own commentary based on my experiences in the infosec field.
6. Working Long Hours, forever
I work hard every single day, and yes, sometimes I work extra hours. Things do go wrong. Security incidents do happen. This is why I have plans in place and teams on which I can rely. I go to sleep at night knowing my team and I have done the best job we could with the resources available to us. We have the detective controls in place to help ensure that if something does go wrong, we can quickly and efficiently respond to it.
When I first started, I did work long hours. I did shift work on a 24/7 SOC watch floor. My shifts were 12 hours long, and often I would be back at work before the calendar flipped to the next day. Some might not like it, but I loved it. It allowed me to see everything and learn a whole lot. Having a good attitude early in my career is what allowed me to advance and not have to work long hours forever.
5. People Only Remember Of You When Things Go Wrong
If this is the culture you have bred, then I totally agree. Again, this goes back to attitude. You have a lot of control over how people remember you. Be a security catalyst. Be proactive. Build a culture in your organization where colleagues feel comfortable coming to you to ask questions before they do something or start a project. Help people. Save one group from audit-hell because you saw something and helped them do it the right way before a project went live. How will you be remembered then?
There's not a patch for everything, and you can never be 100% secure. You can however put forth your best effort by implementing good security programs and technology. Set management's expectations. Things will go wrong. Prepare your management so they judge you not on the fault, but rather on how well you respond to the fault. Many companies are in the news recently with breaches and other security issues. What's more interesting to follow… the actual breach, or how well (or bad) the company responded to it?
4. Study, Study and More Study
Why is this even part of the original post? The infosec field gives you an opportunity to continuously self-improve. Once again, it's about attitude. You could sit around, not read, not learn, not try for certifications or higher education. You'll be stuck doing the same thing every day, or worse, not having anything to do at all.
My experience so far has been that companies are fairly generous when it comes to self improvement. Book reimbursement, on-site training, tuition assistance, certification vouchers are some of the perks I see. An uneducated you does no good for your company.
3. There Is A Limit For Growth To Your Career
Not true at all. Here I am again talking about attitude. Your career is not constrained to the company for which you work. Sometimes moving up means moving on. You probably can't do either if you're not doing point #4. The original post asks "What are your chances of becoming the CEO of the company you work for?" and "Now, let’s ask our CEO what sort of background he has." Do you really *want* to become the CEO of the company for which you work? Certainly not if you want to stay within the infosec field. Unless you work for a security company, the chances are probably pretty low that your CEO's background is in information security. If you *do* work for a security company and some day want to be the CEO, keep a good attitude and never stop learning. For the rest of us, finishing out your career as a CISO, CSO, CIO, or CTO is not too shabby either. Others are perfectly content staying in the weeds and remaining engineers.
2. No Room For Mistakes
I don't know about you, but I make mistakes all the time. As a security professional (or just being a grownup for that matter), you have to make decisions and take responsibility for those decisions. There were only two months in my adult life when I didn't have to make any decisions. That was my Navy boot camp. Everything was decided for me.
Your attitude dictates how you deal with mistakes — made by you and others. The outcome of mistakes drive changes to your infosec program. You may never have considered something a possibility to defend against until someone in your environment did something wrong. Recognize the mistake. Adapt. Overcome. Adjust your security program to account for it. Everything bad that happens in this field is made possible due to someone's mistake. Patches correct programming mistakes. Baselines correct configuration mistakes.
1. People expect you to crack their exes Gmail passwords, wireless networks, and combination locks.
Really? This isn't 1995 anymore. I don't have much to say on this topic. Apart from skiddies on IRC, I can't say I've encountered this very much. I think it comes down to others' lack of understanding of what you do. Calmly explain what you do and they'll get bored and move on.
I guess you could say that the original post struck a nerve with me. My impression is that the author has a bad attitude and can't move up and hates his job. If the original post was meant to be satire, I was too thick to get it.