Saw this article over on DarkReading:
Kushner and Murray say they were surprised by security’s high number of unhappy campers — 52 percent of the around 900 security pros who participated in the survey are less than satisfied with their current jobs.
I’m not surprised by low numbers, for a few reasons that I can throw out with no backing research:
- pros from a technical background that may not like being dedicated to writing policy
- “we know better” when it comes to the state of security.
- we’re geeks; and too often we are either happy when we get everything that we want, or unhappy when mgmt can only fund anything less than 100%.
- as geeks and as security geeks, we’re in a growing research-laden industry where new things are being discovered and developed. I’m sure many of us don’t like the day-to-day drudgery work that may come from watching graphs, monitors, and alert dashboards. Many are driven by the discovery, even if it just means self-learning new things.
- organizations don’t properly know what to do with security/security pros as much as security pros may not know how to show value. We’re still struggling to sell the idea that security is a process and you don’t gain as much as you think just because you have a one-time project with lots of “security-in-a-box” purchases.
- we really do have a lot of passion, but that also means we do get affected when we see security fails. And fails so often. And stupidly…
I wonder how many security pros would say they are satisfied with the security efforts/level of the networks and organizations they work with on a regular basis (either their employer or the companies they advise/test/consult for).
I also pulled this quote out:
Kushner says his biggest takeaway from the survey was that security pros are not really mapping out their career paths. “That generally leads to unhappiness, and you wind up in a job you don’t really like,” he says. The key is taking a position that provides the skills and development you need, he says.
I agree and disagree with that sentiment. I agree that one should know what job will make you happy or unhappy, or will move you towards a goal if you happen to have one, and which jobs will not. But I’m not sure “security pro” is something that needs a career path for all people.
There are security pros who probably could use a career path written down so they can move on to CISO/CSO or even lead researcher in the field they want to get into. But there are so many of us that have no desire to manage or, as we often see it, buy into the corporate bullshit and get away from actually *doing* something directly. And plenty that can easily find jobs doing what they enjoy without moving “up” from technical hands-on ranks.
Besides. We deal with security. When was the last time you asked a security geek if they’re happy with the state of their security? I don’t think we ever have “writer’s block” when it comes to ideas to implement or improve things. It’s kinda part of who we are just as much as being a measure paranoid is.
Interesting survey. There’s a difference between being satisfied with your job and being satisfied with the “state of security”…if the state of security were higher, we might not have jobs!
I can see where there is some dissatisfaction with the job, though. “Security pros”…unless you’re the top of the heap…report to someone else. That means that someone else who may not understand what you do, or see things the way you do, has input into and sway over your job, and possibly your performance rating.
As usual another great post Michael. Although I wouldn’t consider myself a Security Pro I do get tasked with some of the security related tasks at my place of work. What struck me about this post was your comment about knowing what makes you happy and moving towards it.
About a year ago I took a demotion from a position as Operations Manager to become once again a Sys Admin, although this was referred to as a demotion to me it was entirely the opposite, I’m a geek at heart and the thought of traveling across the country to sit in a meeting which invariably led to another meeting about the meeting (you get picture) was unbearable when all i wanted to do was get my hands dirty and solve problems.
Coming to the decision about what made me happy and getting back to what I enjoy was a fantastic realisation and since then I have started to look at getting the required education and certifications to become a Security Pro and hopefully be satisfied within that role. I’m hoping that after all my hard work I will be.
I think the hardest thing about being the resident security geek at my place of work is knowing how important it is and trying to make others realise that too. This is the most frustrating part. I often think that sales is an often overlooked skill that should be compulsory for anyone in the field. Selling security to those above is incredibly hard, even with cases such as TK Max it’s hard in an industry with little regulation and legislation.
Anyway, sorry for rambling on, all the best and keep up the great posts. Your blog is one of the first ones I make sure I get to and if I had any friends who were interested in Security (which I don’t) I would definitely recommend it.
Cheers
Lee