These days, security people have a lot of opportunity. Between a recovering economy, ongoing high profile security issues, budgets and executive attention - more than ever before security people have options. You spend a lot of time at work, more than almost anything else, so it pays to be choosy on how you spend your time. Here some thoughts on how to identify where and how you may be challenged and rewarded.
First off, do not just look at the company name or the job title. Those have little to do with job satisfaction. I know people at big name tech firms and game companies that would seem glamorous, and they strongly dislike their jobs. I have seen people in humdrum industries that have long running, enjoyable careers. The label on the company and title are not in the top 10 things to consider.
Sure, you need to care about things like compensation, benefits, and bla bla. But in the long run I think its simply about this - can your infosec work make a difference?
The people i see that stick with the companies and enjoy their work all have one thing in common, security is valued.
So the analysis to do for prospective employers is really around - can your infosec work make a difference to the company, to its users, to its long term competitive advantage? How is security viewed in the context of the overall enterprise, customer relationships and ongoing mission?
Too often, infosec ends up being compliance drive or checkbox Olympics or department of No (that eventually gets the run around). These people get burned out quickly.
This is not to say you will be in a position where you win all battles. Security is like baseball if you get a hit 3 out of 10 times you are in the Hall of Fame. But there is a big difference between hitting 3 of 10 and not even being allowed to swing the bat, not getting invited to key meetings, your input not valued, or maybe worst of all viewed strictly as a compliance, CYA activity.
Here are some things I would try to suss out in interviewing a prospective employer.
* Where does the CSO report?
By itself does not tell you much, but can indicate how security is viewed. If the CSO reports to the CFO versus CIO this could alter what the expected outcomes are.
* What is the typical daily/weekly/monthly decision set for your role?
If its just running scans and posting stats, you may be farting in a hurricane. Its important to know not just what you design/build/test, but where and how those are used. Who are the consumers of security services and how widely are they distributed? Security is filled with subjective 60/40 decisions, which ones is your role responsible for and in what capacity - end decision maker, implementer, advisor?
* What are the hurdles towards security improvement?
If its “well avoid this team” or some such, that should set off alarm bells. If you feel like infosec is a treated as something only to be gamed that should as well. A long time ago I was in a company where security was a game, but I asked some harder, and I thought important, questions. I tried to be mild mannered, not jerky, but this simply “wasn’t done” and resulted in a director throwing a pencil at me. Also: if someone throws a pencil at you for asking basic questions I would say - avoid.
* Is security centralized or decentralized? What teams does security partner with and how?
This is a huge factor. Security cannot practically be delivered in a centralized team any more. Partnerships are absolutely huge. Do you have exec air cover? What is the mandate for working with developers, ops, and “the business.” What is the cadence and nature of engagement with other teams? Are they, heaven forbid, actively seeking out security team for guidance on architecture, design and development issues? Where its a proactive pull not only a security push?
* Speaking of “the business” - what do “they” see as primary security goals
Is it brand reputation? Operational impact? Customer retention? IP Protection? Throughput? This will tell you a lot about how empowered security is likely to be to facilitate change
* What does “good” security look like?
Steve Markel, who runs an eponymous insurance company, winces every time his office phone rings. Why? As he says - there is no such things a good incoming call in the insurance business. Security is similar, it tends to be a capability where you work your butt off and if you succeed you get a C and if you fail you get an F. Usually, these are types of situations to avoid, but alas that’s the business we’ve chosen in infosec. Does your propsective employer recognize this and how do they deal with it?
These are just some questions to get started, please add any other ideas in the comments
If you are going to be working anywhere near application development organizations or teams, I would ask a number of detailed questions about their AppSec development practices. You might not want a role where you need to spend lots of your time trying to convince members of an AppDev organization to follow basic professional practices: source code management, quality/bug scans, security scans, etc.
Posted by: Brian B | May 01, 2015 at 02:50 PM