Saw this article over on DarkReading:
Kushner and Murray say they were surprised by security’s high number of unhappy campers — 52 percent of the around 900 security pros who participated in the survey are less than satisfied with their current jobs.
I’m not surprised by low numbers, for a few reasons that I can throw out with no backing research:
- pros from a technical background that may not like being dedicated to writing policy
- “we know better” when it comes to the state of security.
- we’re geeks; and too often we are either happy when we get everything that we want, or unhappy when mgmt can only fund anything less than 100%.
- as geeks and as security geeks, we’re in a growing research-laden industry where new things are being discovered and developed. I’m sure many of us don’t like the day-to-day drudgery work that may come from watching graphs, monitors, and alert dashboards. Many are driven by the discovery, even if it just means self-learning new things.
- organizations don’t properly know what to do with security/security pros as much as security pros may not know how to show value. We’re still struggling to sell the idea that security is a process and you don’t gain as much as you think just because you have a one-time project with lots of “security-in-a-box” purchases.
- we really do have a lot of passion, but that also means we do get affected when we see security fails. And fails so often. And stupidly…
I wonder how many security pros would say they are satisfied with the security efforts/level of the networks and organizations they work with on a regular basis (either their employer or the companies they advise/test/consult for).
I also pulled this quote out:
Kushner says his biggest takeaway from the survey was that security pros are not really mapping out their career paths. “That generally leads to unhappiness, and you wind up in a job you don’t really like,” he says. The key is taking a position that provides the skills and development you need, he says.
I agree and disagree with that sentiment. I agree that one should know what job will make you happy or unhappy, or will move you towards a goal if you happen to have one, and which jobs will not. But I’m not sure “security pro” is something that needs a career path for all people.
There are security pros who probably could use a career path written down so they can move on to CISO/CSO or even lead researcher in the field they want to get into. But there are so many of us that have no desire to manage or, as we often see it, buy into the corporate bullshit and get away from actually *doing* something directly. And plenty that can easily find jobs doing what they enjoy without moving “up” from technical hands-on ranks.
Besides. We deal with security. When was the last time you asked a security geek if they’re happy with the state of their security? I don’t think we ever have “writer’s block” when it comes to ideas to implement or improve things. It’s kinda part of who we are just as much as being a measure paranoid is.