Network Jockeys and Security Visionaries. Life in the InfoSec Sideshow.

Anyone looking at the job market can attest that openings for security engineers are a dime a dozen.  These are the guys that configure the firewalls, intrusion prevention systems, and all sorts of techno gadgets that protect us from the bad guys.  What you don’t see are masses of openings for security analysts or security officers. 

Is there really such a need for the techie engineer types?  My experience tells me that these guys are being used to handle security for the whole organization.  That is to say, Bob the security engineer is also being tasked with policy development, risk analysis, and selling security across the business.  Is this really a good idea?  Think about it a moment.  You know this guy.  He sits down the hall from you.  He’s the one with the Dungeons and Dragons figures on his desk, coffee stains on his shirt and crumbs in his beard.  Sure, he’s a nice guy, quirky, but nice. 

Now imagine putting Bob in front of your boss to propose organizational changes that will improve security across the company.  Bob starts spouting off about ARP poisoning, static routes, LDAP, and a cacophony of other acronyms.  If your boss ever recovers from the mind numbing “presentation”, rest assured that you will take a black eye for the fiasco.

Why then does business forgo the security visionary, those of us that can build a security program from the ground up?  Let’s face it we don’t make ourselves known.  In the mainstream at least, ours is a very new profession, whose growth is hastened largely by legislation.  Every time I tell someone that I am the Chief Information Security Officer, I know what the next question will be.  “So you’re a police officer.”  I get this so often, I have considered getting shirts printed that say, “No, I am not a police officer.”  I may even get it printed on my business cards.

I believe that because our profession is so new, that most businesses haven’t realized its value.  They solve security problems the way the solve network or technology problems by tossing money or hardware at the problem.  Money and technology are great, don’t get me wrong.  In fact, if anyone wants to send me either I’ll be happy to take it off of your hands.  Money and technology can solve a number of security problems, but if you don’t look at the whole security picture through the eyes of the security visionary, how can you know that you have solved the problem, or that there was even a problem to solve in the first place?  The security visionary looks at the whole business, not just the packets on the network.  The visionary determines what level of risk the business can bear, where those risks lie, how best to mitigate those risks to an acceptable level, and most of all builds security into the culture of the business.  I doubt that you’ll find that in any off-the-shelf network jockey turned firewall administrator.

Until business matures and sees the need for our services, I am afraid that my security brothers and sisters are destined to remain in the shadows.  But don’t be afraid, people think that we’re police officers, so no one will bother us.