This is a useful exercise to do with oneself every now* and then: If I had xx million dollars right now, jobwise, what would I do? A few things spring to my mind…
1. Let’s get this out of the way first: Nothing. Retire and travel around the world to beautiful places and experiences. Play video games. Do whatever. Nothing too crazy.
Goal: Relaxation.
Why not do it now? Duh, $$$
2. Open a store: combination arcade, video/PC gaming, tabletop gaming, culture.
Goal: Enjoyment!
Why not do it now? A store like this won’t yield crazy margins and probably won’t ever be profitable. But if I had the money to eat the losses, I can think of many, many, many other less interesting and fun ways to spend my life.
Ok, now let’s get back to the real world for a bit.
3. Security consulting business. Now, I’m not talking some generic consulting where you just regurgitate the latest NetworkWorld news blurb or Gartner reports on what products in the AV space to buy. I simply want to answer security questions and help someone improve their security. I’d want to have the ability to dive in deeper as well, such as evaluating weaknesses in an IDS/IPS deployment and configuration, making recommendations on staffing for technologies, code development processes, testing detection and response, what works and what doesn’t in identity management. Not just top-level non-actionable things, but actually fingers-in-the-shit sort of work. Basically one step away from being on staff/contractor, so that the things I can talk about are also things that can be lived with, and any questions I can’t answer (like how do I protect against XSS in this specific function?) I can spend the time to figure out the answer. I wouldn’t want to be the consultant who says, “Classify all your data,” and then walks away with a paycheck for dropping that load of shit on some CIO’s desk when there are many other actionable items that can be tackled first. Even small things like the PCI item to discover all CC info on the network, would be fun, without just saying, “Buy DLP.” Any down time would be spent as I do now: tinkering with whatever I want to dig my fingers into, and staying abreast of the community.
That’s a huge paragraph, and I’m probably being more detailed than I need to be. Essentially like 1 part security analyst, 1 part architect,, 1 part coder, 1 part auditor, 1 part pen-tester, 1 part manager, 1 part managed security service provider….
Goal: I love doing it (defense and offense), including the allowances for profits/convenience.
Why not do it now? Simply financial risk.
Why not do it now, part 2? I’m not much of a salesperson; I often understate my abilities rather than thinking I’m a qualified expert.
Why not do it now, part 3? Ok, fine, as Rothman excellently points out, I could almost do this now by taking on the consultant attitude. Other than not having a dedicated security role right now (general ops), I could be there.
4. Pentesting. I get that it’s not all fun and games and there’s tons of report-writing and analysis and screen-staring and delivering the same old report to hostile managers and fruitless scanning and frustration at squeezing 2 months of work into 72 hours on site. I get that. But I’d still love to be doing it.
Why not do it now? RE:An earlier point, I feel like I could use some “junior” time under a mentor/guidance.
Why not do it now, part dos? Honestly, I feel like I would suck for several years until I gained more experience and instinct, and I hate underdelivering. That would be a rough few years where financial security would be nice. But for someone who self-describes as having the logical/analystical/paranoid mindset that is nice for security, it’s really just a matter of getting experience under the belt.
Any number of roles also come to mind or even my own managed security services firm, though I still am not sure of their value, ultimately. Even doing some auditing, but I also feel like that will never be profitable because of the corners so many other firms cut in order to do more and quicker audits while keeping customers happy (i.e. as much good news as possible).
As far as company size, I don’t mind large companies all that much, or even just being a cog in a much bigger wheel, but I would love the family-and-friends feel of a smaller shop, where you can relax and be yourself in the office and not just have it be a stuffy 9-to-5 sort of environment. I’ve actually been in a start-up for a summer, and while it was ultimately a waste of time, I think, I did really enjoy the informality and get-it-done feeling. (The Penny-Arcade office atmosphere comes to mind…)
The ultimate goal that makes me happy, though, is helping someone better understand the security of their data, business, network, systems, and ultimately people.
* I actually just hit my 5-year anniversary at my current job. A bit of a milestone that causes me to sit back and think about where I am now and my next 5 years…