Are Security Careers Real?
-
So, real question. I know that security careers exist, but in the real world do they actually exist in any quantity? I have worked as some huge companies and some that are world renowned for their security, including ones that work with some of the biggest government security agencies in the world (actually, THE biggest.) And even in these places, while security jobs exist, they are few and far between. The bulk of IT jobs are not security ones. Someone needs to design the networks, build the servers, create the apps, manage it all. And in smaller firms or more normal ones, security-focused jobs don't seem to exist at all.
I know that there are some security specialty shops out there (I've been asked to lead teams for one of them.) But even big ones that I have worked with just use skilled "normal" IT people, not "security" specialists.
Yet when I talk to people entering the field, it seems like over 50% of all career aspirations are to become a "security guy", but where are these jobs? Where is the idea that there is any job out there for these people, let alone a field as big as IT is already today, just waiting for a new generation of "security specialists" to enter the field and take these jobs?
I'm not downplaying security, it's critical. But everywhere that I've been that cares about security pushes that job to everyone and expects security to be part of what everyone does, not something handled by one super secure guy sitting in a secret lair.
Am I alone in seeing no security specialty jobs out there in the real world or are half of all people entering IT in for a rude awakening when they go to apply for work and there are no careers in the category that they have selected to train in. It almost seems like colleges have made a curriculum because any industry has created the career.
-
I should point out that while I hear, almost daily, from someone getting a security cert or going to school for security - that I have yet to hear of a single person who ended up getting a job doing security. I've heard lots and lots of "positive thinking" but no one has ever returned to tell me of a success story after becoming educated in security.
-
Perhaps you don't hear about it because the first rule of a security job is "You don't talk about security jobs"?
-
@nadnerB said:
Perhaps you don't hear about it because the first rule of a security job is "You don't talk about security jobs"?
That's as good of a theory as any.
-
I interviewed for a security job a while back, much of it was under NDA so I can't say anything specifically about what they wanted. The only thing I can say is the main thing they were looking for was someone with a Security+ (dumb) and I declined further interviews/proceeding with the process after the first one.
-
@thecreativeone91 said:
I interviewed for a security job a while back, much of it was under NDA so I can't say anything specifically about what they wanted. The only thing I can say is the main thing they were looking for was someone with a Security+ (dumb) and I declined further interviews/processing with the process after the first one.
A security job where they even bothered to mention Security+, no wonder you walked away.
-
NSA hired them all
-
@thecreativeone91 said:
I interviewed for a security job a while back, much of it was under NDA so I can't say anything specifically about what they wanted. The only thing I can say is the main thing they were looking for was someone with a Security+ (dumb) and I declined further interviews/proceeding with the process after the first one.
Any company under NDA is using security through obscurity. The NDA is enough to make me walk away. This is why I decline to even talk to Google - they've failed the hiring process before we even talk in person because their NDA flags them as way too low end to even warrant a discussion.
-
@scottalanmiller said:
@thecreativeone91 said:
I interviewed for a security job a while back, much of it was under NDA so I can't say anything specifically about what they wanted. The only thing I can say is the main thing they were looking for was someone with a Security+ (dumb) and I declined further interviews/proceeding with the process after the first one.
Any company under NDA is using security through obscurity. The NDA is enough to make me walk away. This is why I decline to even talk to Google - they've failed the hiring process before we even talk in person because their NDA flags them as way too low end to even warrant a discussion.
Yep, I will never do an interview under NDA again.
-
I think for most folks they wind up being thrust into that position. At my last job, I had to learn pretty much learn things as I went. Not that security was an after thought, but as I'd learn something new for another project, I would go back and apply those same security principles to past projects and servers.
-
@thecreativeone91 said:
Yep, I will never do an interview under NDA again.
Or if you do, you won't tell us
-
@dafyre said:
I think for most folks they wind up being thrust into that position. At my last job, I had to learn pretty much learn things as I went. Not that security was an after thought, but as I'd learn something new for another project, I would go back and apply those same security principles to past projects and servers.
Yup, I've been put in security roles, but it was a role, not a career path. It didn't come from something else, it didn't lead to something else.
-
@dafyre said:
I think for most folks they wind up being thrust into that position. At my last job, I had to learn pretty much learn things as I went. Not that security was an after thought, but as I'd learn something new for another project, I would go back and apply those same security principles to past projects and servers.
I have that happen before being put in it. I was put in the position at the county. and Security WAS an afterthought. Heck when I started it there it was server 2000 domain with the main DC having a 1:1 Nat mapping on it with no firewall in between, you could authenticate to it from home.. And the DC was a Terminal Server too!
-
@thecreativeone91 *me runs away and hides.
-
Security I thought was a real golden ticket at first, then you realize that if someone wants in they'll win eventually, no matter what you do. I don't like to lose and that'd be a struggle for me.
-
@MattSpeller said:
Security I thought was a real golden ticket at first, then you realize that if someone wants in they'll win eventually, no matter what you do. I don't like to lose and that'd be a struggle for me.
That and everyone thinks that it is a golden ticket. Like any "popular" career, that forces it to be the entry level work. Everyone and their brother is a "security expert" today. All of them working at McDonalds.
-
And most companies do not care about security unless it costs them a lot, but then they still don't care about it or your data; They just care about the financial implications of it.
-
@scottalanmiller said:
Everyone and their brother is a "security expert" today. All of them working at McDonalds.
Or a computer repair shop but, the pay is likely about the same.
-
@thecreativeone91 said:
@scottalanmiller said:
Everyone and their brother is a "security expert" today. All of them working at McDonalds.
Or a computer repair shop but, the pay is likely about the same.
-
@thecreativeone91 said:
@dafyre said:
I think for most folks they wind up being thrust into that position. At my last job, I had to learn pretty much learn things as I went. Not that security was an after thought, but as I'd learn something new for another project, I would go back and apply those same security principles to past projects and servers.
I have that happen before being put in it. I was put in the position at the county. and Security WAS an afterthought. Heck when I started it there it was server 2000 domain with the main DC having a 1:1 Nat mapping on it with no firewall in between, you could authenticate to it from home.. And the DC was a Terminal Server too!
Nice! I've seen that setup before (and no, I wasn't the one who put it in :P)