Saturday, April 10, 2010

InfoSec Career Advice

There are a lot of people giving InfoSec career advice.  Every security conference it seems like has someone offering you career advice on where to work, what classes to take, what certifications to go for.

I want to take a realistic approach to Information Security career advice.  The reason there is a lot of useless InfoSec talent out there - that's right, I said it, useless - is because none of the "new blood" I'm running into has any business sense.  I'm not advocating more of the top-down management that drives people with MBAs to be security leaders, but I think it would give the security teams out there some credibility if they could speak business' language as well.

Interestingly enough, one of the more honest observations I can make is that there are a ton of corporate InfoSec analyst-level talent that are looking to push buttons, run scripts and get results.  There is a distinct lack of the analytical mind, business-level understanding and even worse ...common sense.  Working for a web app sec tools vendor is interesting because as a recent "researcher" proved via a ridiculous published report users expect to be coddled.  InfoSec analysts in corporate IT expect to buy something and have it do their job for them - they aren't expecting to think.

It's just mind-numbing that the types of things many of the more senior-level minds in InfoSec had to go through and learn not more than 8-10 years ago is just not making into the curriculum.  I had someone approach me at the last conference I spoke at and tell me that she just graduated with a degree in "information security" from some college, and was asking me where I would advise her to go work.  Her understanding was that going through school classes, and being able to write shell-scripts and analyze packets qualified her for a senior-level position with a large enterprise.  Wrong!

Being smart and having talent in technology does not a good InfoSec analyst make.  So my advice?

"If you want to contribute meaningfully to the Information Security field - go do something else first... business analyst risk analyst project manager, developer...anything!  Learn how the business works, learn what keeps you employed - learn how your company and business makes money."

You probably already get the technology - but can you tell me how it applies to what the business does?

1 comment:

Peter Abatan said...

IT security is always accused of being too tactical and weak strategically. Unless one understands the impact of a security or data breach on an organisation from a broader perspective how will you be able to give sound strategic advice?

Understanding risk from a business perspective, financial analysis, managing projects etc will help one understand that an organisation's resources are finite, as such it will help you to carefully consider your purchasing decisions.

I strongly agree that IT security professionals need to be business savvy experts. Especially if they want to make it to the boardroom level or become strategic advisors to boradroom advisors.