At BC Aware Day in Vancouver this past February, I was lucky enough to attend Jack Daniel’s InfoSec Survival Skills talk. Check out the recording or find Jack at a local security conference near you. Jack’s talk focuses a lot on the stresses and triggers we deal with as security practitioners and the coping mechanisms his peers shared with him. All of this got me thinking about the other side of the equation, what keeps us interested in working the field of information security?
Many people are interested in a career in information security, and part of that is the wealth of jobs that are available now and a projected shortfall of over 1.5 million skilled infosec employees by 2020, according to (ISC)2. There are many paths to a career in infosec, and when asked how to “break into cybersecurity”, I often point people to Daniel Miessler’s excellent article on the topic. While the reasons for and paths to a career in information security vary as widely as the potential job roles in the field, there are some common threads.
Most of the infosec peers I encounter are curious about how things work, and either how to break them, how to defend them, how to build them, or a bit of all three. There’s also a common thread of healthy paranoia, that our systems and data aren’t nearly as secure as we might want to think. This paranoia can easily become unhealthy, and lead to worrying too much about breach and compromise scenarios well beyond probability to occur or the possibility to prevent them. However, it’s this same paranoia that enables a security person to see the flaws and attacker motivations that may be less apparent to others.
Over the last few years, revelations about backdoored encryption standards, government eavesdropping, and an unending litany of breached organizations and personal data has borne a lot of that paranoia out to be true. Taken alone, these news reports are something most non-infosec people can easily block out. When combined with the daily work of penetration testing, securing infrastructure, threat hunting, and/or other tasks in a typical infosec career, it can easily become a case of too much bad news, all the time.
The Sisyphean challenge of infosec can be daunting. No infrastructure or application is ever completely secure. Indeed, the most realistic approaches to information security focus on raising the cost for the attacker and frustrating them before they can successfully find and exploit…