> Well, no wonder you're not happy; you need a reality fix. You are looking for > the impossible and will never find it.
I'll take that under advisement. I don't really disagree with the general
tenour of your comments---I do, however, disagree that you've offered a
description of the entire industry, rather than merely a substantial part of
it. No doubt most shops would post their customers' credit histories on
a publically-accessable web page if they could make a buck out of the
proposition---and most infosec quote professionals unquote would gleefully
do it for them if it meant job security. I ain't one of them, and I ain't
looking for one of those places.
I won't try to address your comments line-for-line (email me off-list if
you really want that). Instead, I'll just cover some points:
-`Politics' is what you call it when it's not going your way. It's
called `leadership' otherwise.
Every organisation has some office poltics. Having worked at
a public university in Texas, I don't think most offices are as
bad as people think they are---most of what people call `politics'
in the office is merely departmental territoriality. This is only
a major problem (from the standpoint of a motivated security guy)
if `security' is allowed to be seen as a seperate entity with its
own agenda and motives. Even if this is true (and it probably is),
just getting the departmental managers/directors/whatever involved
is almost always a Big Win. A manager who thinks you're using whatever
power you have to interfere with him will fight you. A manager who
thinks you're offering him power (and/or a voice in processes which
span multiple departments) will be more cooperative.
-`Security' as an abstract concept isn't a revenue stream. This is
true; it is also irrelevent. Security as an abstract concept isn't
security.
Actual design, implementation, and maintenance decisions are where
security happens, and are not necessarily at odds with any other
(purely mercenary) motivations an organisation might have. Pain and
expense in security implementation result, by and large, as the result
of trying to apply `security' as a _post hoc_ fix or workaround.
Something as apparently mundane as a version control system for
updating production systems can be a Big Win from a security
perspective---and such a system can be sold on stability, scalability,
and maintainability (all of which are related to revenue streams in
much more easily-explained ways that security).
-Organisations don't want security or don't care about security.
Well, a lot don't. I don't really want to work for any of 'em.
And, for that matter, I don't imagine many hiring managers from those
places are reading the securityjobs mailing list.
That said, a lot of shops that are ambivalent or averse to security
aren't really reacting to security per se---they're reacting to their
current or former IT/IS security people. A lot of organisations are
full of bozos. A corollary to this is that a lot of security people
are bozos. Or demotivated people who figure `why bother?'
It's been my experience that most people -like- the idea of security,
but have never been presented with useful information about security
or alternatives for security implementation. Does this mean you
can win the hearts 'n minds of every employee by sending out a passwd
policy memo? Of course not. But an awful lot of directors are
open to having additional proposals/options put in front of them.
So, like I said...I agree with a lot of the tone of your comments, but I
disagree with the impression that -nobody- out there gives a damn. I think
that -most- organisations don't, and I think it's gotten a hell of a lot harder
to find the ones that -do- since the tech sector took a nosedive. A couple years
ago, a security guy in Silicon Valley wouldn't have to ask around on a mailing
list for a good gig.
And, as an aside, I wasn't looking for an `ideal' job. I didn't mention anything
about access to a indoor garage with a lift, bevies of scantily-clad nubiles to
fan me with palm fronds, or unlimited access to caffinated beverages. I'm
just looking for a place where I can apply the infosec skills I have while
improving them.
-spb
msg01063/pgp00000.pgp
Description: PGP signature
