Source: [id: 41018; name: CSO; isActive: true; siteId: 3] -- CSO -- $content.altguid

One Man's Life on the Security D-List

At Security B-Sides, infosec author Andrew Hay explains the four pillars for moving from the bottom of the IT security shop to a place of respect, and why getting to the A-list isn't all it's cracked up to be.

By , Senior Editor

March 02, 2010CSO

SAN FRANCISCO -- It used to be that security practitioners were seen as propeller-hat wearing introverts hunched over computers in dark, cold basements for weeks on end, shunning daylight and anyone who tried to start a conversation with them. Times have changed. But the path to respect isn't always what you'd expect.

Thanks to the blogosphere, social networking sites and podcasting made easy, many security pros are taking on a much more public persona, becoming near-rock stars. Evidence of this can be seen in abundance at this week's RSA conference and the nearby Security B-Sides event.

True, many security pros still prefer the quiet, isolated life. It's also true that the introvert tag was never a fair fit for many people. But several conference attendees acknowledged theirs has become a much more public profession. It's a necessity, they say. To truly improve security, people need to be out there communicating the threats computer users face and how to take the proper defenses.

Andrew Hay, information security analyst at the University of Lethbridge, opened Security B-Sides with a talk about his life on the "Security D-List" and the four pillars one can use to move higher up the ladder.

Hay, a specialist in forensics, incident handling and network security management, explained there are few celebrities in the security industry and many who are but don't know it. Then there are those who are stars and will let you know it at every opportunity.

"When we start our career, we are on the D-List and it's a tough climb out," Hay said. "Many are happy to stay there, others want to do great things. Very few see themselves as A-List. Many think they're above D-List."

Using an unscientific pie chart, he estimated that 84 percent of security practitioners are on the D-List. The A List are made up of those who are asked to present at conferences, get comp time from their employer to do it, and have invented something everyone has used.

Those on the B and C lists write blogs and have achieved some notoriety, but are harder to pick out in the crowd, Hay said.

"When you start you're just a security grunt in the trenches and it's really hard to blaze a trail," he said. "I started doing dial-up tech support, then I got into network security, and became a product manager."

Eventually, Hay went on to write such books as OSSEC Host-Based Intrusion Detection Guide and Nagios 3 Enterprise Network Monitoring.

RESOURCE CENTER