Friday, October 21, 2016

A Short Rant about the Information Security Industry

-->
My employer hosted a public lecture on the relative insecurity of the voting process in the US last night. I’ll post a link to the recording once it’s live. During the lecture though, I got excited and started texting commentary to a non-IT coworker who was also present. This morning she asked me if I was so passionate about the subject why I wasn’t working on it. My off the cuff answer is no one will pay for it. And while in this particular instance it’s true, there’s more to it than that.
I think if I’m honest, that I don’t want to work in the industry. I don’t like the way it feels. I go to professional conferences and hear people talk at one another about the problems, and it’s a lot of “they” don’t understand what we do, and we need to convince the C-suite to give us money. After that a vendor stands up to pitch their latest firewall with a nifty new dashboard. Sometimes they even have the guts to try to disguise it as an academic or scientific talk about new threats, but it’s the same crap in a different wrapper, and they’re not fooling anyone. I earn 8 credits toward renewing my CISSP for enduring this.
 On the flip side, the hacker conferences are at least fun. Everyone gets drunk and shows off their coolest science projects and bitches about The Man and then signs up to interview for a job with an NSA contractor.  
The employment opportunities themselves feel parasitic, feeding off peoples’ fear of technology they don’t understand, or at least fear of getting sued. I read postings on LinkedIn, and they want someone to check boxes to make sure they’re in compliance in case their practices come under government scrutiny or they want someone to configure ACLs and build concentric walls and moats because that’s the analogy that’s been fed to them. For the people already in these positions it’s a cushy gig. They don’t have to actually DO very much, but they can still scream for more resources and cry that no one understands how important they are. I close my browser and walk away without sending my resume.
I want to help solve problems. I want minimize fear and mitigate unnecessary risk. I want to help make our society a safe place without sacrificing freedom. Admittedly, I also want a steady paycheck. If something like that opens up, give me call. Until then I’ll continue to watch from the sidelines.