Mike Murray opines about why information security is the hardest career. He makes true points about how security needs to stay on the forefront of change in technology. (Although you can poke holes in the career examples, it is the point that counts, not the specific details.) And it is true. I could learn how to code something today, and probably live by honing that specific skill for a decade or longer. Security, however, doesn’t have that luxury. You tend to have to be knowledgable in many things, and sometimes at a workable level with those whose whole years are embroiled in that one technology (advising web app devs on secure coding [json] practices, for example).
I sometimes feel security consultants have a sweet gig. They can drop the hard projects in a few sentences and walk away all smug and feeling helpful, when those projects may in fact simply be impossible in practice for various political or economic reasons (run a vuln scan and address every finding is typically *not* a casual weekend project). But I admit they have the most need to be on top of everything new as they no doubt get the joy of answering questions on technology so new they’ve never even heard of it yet.
And none of this really goes into the dirty work of not just keeping up with new things, but keeping the existing things monitored and updated and in check as time marches on and attackers try everything from new techniques to old goodies from 10 years ago.
No matter where you are in security and how you try to roll it, it’s a difficult task and a stressful, but fun career. Then again, maybe I’m dramatizing it since I’m in it… 🙂
Mike and Lee’s talk at Defcon is one of those few talks I really should have attended, in retrospect. Hell, I still have to find and download it!