Now that the craziness of Blackhat/Defcon week is over, I feel I can put down some words about what we will be raving about on there which is what life in the Infosec industry is like. First of all, who are we, as a group? While it’s never totally accurate to generalize, Infosec people tend fit into one of several molds. First, is the most popular version of a computer security professional which is that of an ex-hacker, getting paid to ply their seedy trade legitimately. True, there is a segment of the Infosec population that meets that vision, but its more media myth than reality. There just aren’t enough former hackers out there to fill our industry. Besides felony records don’t usually get you employment with the government or blue chip sectors, in spite of what movies might have you believe. The other portion are the law enforcement types, either those who are formally so, or the wannabes. Many branches of law enforcement and the military employ us geek security types to keep our nation’s infrastructure secure or chase down the bad guys. Some of us just like to feel like we are the good guys defending justice and the American (or insert national allegiance) way through our cyber good deeds. But again, the romantic idea of us being hacker chasers, burning up electronic shoe leather to chase shadowy figures is mostly fiction. Finally, there are the guys (and girls) who just fell into the job; being system administrators or programmers who were a little too good at this and were given the jobs whether they liked it or not. And finally, there are the mercenaries; folks who see the big money (or bigger money anyways) in the field and have chosen this devotion primarily for the monetary benefit. So we are a wide and varied lot, contrary to the stereotype of black-ops nerds in darkened rooms with cathode ray tans.
For myself, I was long drawn to the industry, before it was considered an industry. My interest in computer security came shortly after my life-long obsession with computers started in junior high. One of the reasons was curiosity about how the computer criminal mind worked. The hacker/cracker mindset was unlike almost any other criminal thought-set, in that it was usually highly intelligent and usually devoid of any commercial motive (least until recently). I devoured stories on the early hacker underground, its infamous stars and their exploits and decided that this was where I wanted to be. The field also challenges me in a unique way intellectually that no other IT work seemed to do. It is always throwing a new challenge or problem your way, making you think on your toes. But that’s just my story, there are a thousand others.
I also think that Infosec requires a skill set that is above almost all other area of IT because it require a strong understanding of many other IT disciplines as a background. You can’t be a good Infosec person if you don’t have a grasp of networks, coding, operating systems, databases, etc. I think it attracts the cream of the crop of the IT world, but then again, I’m biased.
Plus there is part tinker/inventor/explorer to our work. We are constantly fiddling with IDSs settings, tweaking firewall rules, trying to figure out what a particular hacker is doing. Our job is part Sherlock Holmes, part gate keeper, part network disciplinarian.
However, before you on the outside are ready to sign up for this sexy CSI-type job, realize that while there are moments of high excitement, its mostly stultifying boring. Anyone whose has ever had to write policies, conduct an audit or pore through endless logs can attest to this. Its somewhat like war, 1 part pure terror with 99 parts pure boredom, without all the nasty bullets and dying and such. I guess that one part makes the other 99 worth it.
So we get to do some cool stuff once and a while, occasionally track down some bad guys and claim victory, but mostly, its just a job, the one I’ve chosen to do