Security's Everyman

Security's Everyman

Monday, November 05, 2007

Why become an IT Security Professional? Part 1

I get a fair number of request from people asking me to give them advice on how to either get into security or career guidance on how to best move into a specific area of security. Since often these questions come from readers I decided to do a couple of posts on this topic. I'm going to try and cover it from a few different perspectives. The "Why to", the "Why not to" and some of the "How to". I hope you find them informative and useful. And as always if you see something that I'm totally missing the boat on just let me know. :)

It seems that lots of people want to become information security professionals. I guess they consider it to be the "holy grail" of IT. The problem is that it isn't. It's a great field to be in if you have the skills and passion but it's not the ultimate place to be.

I think that lots of people think that if they break into security that they are on their way to financial nirvana. That too is a myth. Don't get me wrong there are those in security who do quiet well for themselves. Yet they are kinda like the people on the exercise infomercials. They start off 40 lbs over weight and after 8 weeks of this "miracle exercise" they have lost all the weight and their abs are well defined and all the world wants to be like them. What they don't show you is that this person worked 50 times harder than everyone else and they were committed to this. They also don't show you the other 100 people who only lost 5 pounds and went back to their old lazy ways right after the trial period was over.

That's the way IT security can be. There are the few rock stars. Those who are really good and who have a passion for what they do. They work hard, they learn all they can and they succeed. They make a name for themselves and make good money. A few make really good money. The rest, well they spend their days doing what they like doing. They protect networks and data. They look for vulnerabilities and shut them down. They scour code looking for a way to make it safer and they develop tools that makes the rest of us look good. They also make just enough to keep them going. They pay their bills and maybe have some to put away, but they are not getting rich by any means.

So, reason number one to NOT become an IT Security Professional, MONEY!! If you are doing it for the money you are doing it for the wrong reasons. Chances are you won't make nearly what you think you will make.


Anonymous said...

Some thoughts on security and money... first, I think that if you're in IT generally, or security specifically for the money – you’re in the wrong place (didn’t we wash all of them out of the profession 6 or 7 years ago?). Not to say that you don’t or can’t make a “premium” salary in comparison with some other career options – because I think you do. But in terms of security – the only way you’re going to be making “rock star” money, is if you are in fact, a security rock star… and you’re in the position to add that kind of value. If you’re the security guru in a company where you’re a cost-center I think you can probably forget the rock-star money – even if it’s justifiable (in your opinion). Because who wants to pay someone for that? And worse – when (not if) a security incident occurs – guess who’s going to be the first to go? Yeah… that security guru with the premium salary who just failed.

Now, if you’re dealing directly with clients, if your value-proposition is in terms of a profit center – say you’re a consultant, or your employer delivers projects where your role results in revenue – then you’re probably in a position to justify premium compensation.

In other words, if you’re in IT for the money – go find an employer where your role sits on the profit side of the house. Short of that – if you don’t want the pressure or hassle of dealing with clients (which, by the way is why you’d be getting premium compensation in the first place), go find an employer with ridiculously high margins (think biotech, or finance), or find a startup to work for with a real-world exit strategy and promises on paper.

Short of that – start a business, go work in sales, get a PHD, or earn an MBA.

Anonymous said...

Well, sure, you shouldn't get into security for the MONEY. Everyone gets into it for the CHICKS. Right?

Yes, the tongue is planted firmly in cheek. I'm not really that bad.

Creative Commons License
This work is licensed under a Creative Commons Attribution-NC-SA 3.0.