You are browsing the archive for Preaching.

You got the well-paid IT Security job. Now what?

December 4, 2014 in Preaching


Writing requires a lot of iterations. Many preaching posts I write are written on a whim, and are often quite clumsy in they first few iterations. The intention is not to rant or offend, but to describe the reality (even if subjectively perceived and to certain level emotionally loaded). I usually review and edit them often as I believe giving them a second and third look makes them better and also removes parts that I think are not objective, or fair (if I spot them).

Old post

A while ago I have read a brilliant article from Jeff Haden that resonates extremely well with my own feelings regarding the company-employee relationship. While the title of the article is ‘What Bosses Should Never Ask Employees to Do’ it actually goes beyond that and pretty accurately describes various experiences one often encounters after joining companies. This is an interesting topic as it it somehow touches IT Security as well. And not only the problem of institutionalization of IT Security jobs and making it yet another job title suffering from the ‘corporate drone’ stigma, but a serious problem of destructive forces that try to ‘corporatize’ IT security in general. And by that I mean attempts to ‘fit’ IT Security within one of many boxes Corporate World has to offer. IT Security is not about ticking boxes on the form. And even ticking boxes cannot really prepare you for what you will be facing as an employee. If you do CISSP, CISM and SANS courses, know how to create ROP gadgets, write rootkits, reverse engineer firmwares it’s still not enough. This is because nowadays the IT Security job (non-consulting, non-vendor) is very often a mixture of some technical stuff with a crazy administrative overhead plus of course corporate “administra-trivia”. And unless CISO gives you a 100% power to ‘own’ the company security-wise and exclude you from all the corporate drama you are just yet another brick in the wall doing what everyone else in the company is doing (taking effectively a lot of your cycles away – cycles you could spend e.g. hunting for attackers / intrusions – I covered it in my older preaching post).

The aforementioned article inspired me to write this very post with a focus on the more technical IT Security jobs (DFIR, RCE, pentest). And not on the job market per se, but on the actual “what to expect after you join the company” bit. And there is a lot happening APART from the cool, technical stuff we all expect to do all day long. Having worked for various companies and types of companies over last 15 years I believe I can offer some insight to this topic and hopefully make it to be an useful guide to these who are either actively looking, or are currently considering changing the companies. I don’t want to rewrite Dilbert’s stories here, but offer the real world-experience of nuisances and idiosyncrasies you will encounter in your career.

The following is a very subjective perspective on the subject – I write it from my own personal experience so take it lightly and draw your own conclusions – more importantly, try to wear different shirts yourself and you will be able to form your own opinion, or compare it to mine.

I personally don’t believe it is a wise choice for anyone to work in the same function for more than 2-3 years (as an employee; if you are a partner, share holder, etc. it’s a different story). It not only leads to complacency and boredom, but it also limit companies’ growth – it’s the change on the staff level that drives changes in the companies (by comparison, CEOs are guys jumping the ship or following a better opportunity all the time; why an average employee should not benefit from similar change, and employee’s company as well?).

One can move inside the company, but the most beneficial career-wise is to go and try working for someone else. It is a very tiring process long-term as you need to rebuild your reputation from the scratch, but it’s very rewarding – you collect experiences from various environments and contact with various people and sooner or later become a ‘generalist diver'; a guy who knows a lot about a lot of things and can also dive into some specific area with a relative ease. It’s certainly not for everyone, so again, one last reminder that it’s my subjective and biased opinion – what works for me, doesn’t necessary mean it works for anyone else. And no, I am not ‘know it all’. I learn the same way as you do. I also don’t mean to offend anyone. I love technical stuff, respect CISSP and CISM knowledge, but also prefer solitude than socializing, because my heart is closer to ‘technical’ than ‘social’ –  if you roll the same way, this post may be handy for you. If not, you have been warned :-)

Borrowing the list of headers from Jeff’s article, we get a list of these:

  • Make employees feel they should attend “social” events.
  • Make employees feel they should donate to a charity.
  • Ask an employee to do something another employee was asked to do.
  • Cause employees to go without food at mealtime hours.
  • Ask employees to evaluate themselves.
  • Ask employees to evaluate their peers.
  • Reveal personal information in the interest of “team building.”
  • Ask employees to alert them when they “veer off course.”
  • Ask employees to do something they don’t do.

The IT Security job at a bank will tick probably the largest number of these points for you and that’s my target today :).

Before I worked for a bank, I was warned by a friend who said “you will die there”. I didn’t, but your soul certainly dies in a work environment offered by banks (pardon me generalizing here, but from conversations with other people who worked for other banks, the environments seem to be similar). If you are a technical person, a guy who ‘lives’ RCE, DFIR, pentesting you will do yourself a favor if you avoid banks as your employer. Or, if you do join, plan it in a way that you join it ‘for CV only’ and leave it within 2 years. I can guarantee that you won’t survive longer anyway. If you are currently working for a bank, you may disagree with me, you may also have a different motivation to stay, but if you have ‘itchy fingers’ and a constant stimulus to crack stuff then I’d be very surprised if you really enjoyed your job at the moment – as I mentioned earlier, this is my very subjective opinion which is shared by many very technical people I know who ‘tasted the waters’, but it doesn’t necessary mean it’s always correct. I bet amongst all bank environments there are some where some technical people can really grow, but I am probably not far from the truth when i say majority of the technical people ‘suffer’ in these roles. On the other hand, banks are – after all – places where you can be paid the best, so if you are after $$$ that’s where you should go, suck it up, and retire early.

The bank job usually means:

  • A pressure to attend meetings; not just one, but lots of regulars, often non-sensical meetings; you may be requested to constantly talk to your boss, to your peers and in general to ‘network'; when we talk about meetings there are often no agendas, they are ran not on merit, but on ‘interval’ basis – if the meeting is scheduled for 1 h, then you will all sit there for 1 h. The meetings are merely for the sake of … I actually don’t know what. I really don’t know. Conversations with managers often are focused on your personality (why the heck you don’t like networking with people in a physical world), assessment of your peers (gossip & politics), rarely IT Security. Some of the people at the bank that happen to be in managing functions simply ‘live’ this stuff; they can’t operate without their calendars looking like a Christmas tree. Many of them become IT Security Managers after working in completely different function for years, slowly climbing the corporate ladder and hence they don’t even have real credentials to understand what you will be doing, let alone a passion to do technical stuff; they know people and the environment though and from this angle, they are better off and better paid than you. Consider this though: the day you join, they know people and the environment; 6-12 months later you will know the people, the environment, and have your tech skills as well – this will be a time to start thinking of moving on as you won’t be able to beat the permanent residents in their game, but can leverage your gained knowledge to sell it to a different company for more
  • The whole networking thing is funny. I always compare a large company to a town. Imagine you live in a town with 50000 people. Now imagine you start casually chatting with as many these strangers as possible. Because… because someone says so. This can only end one way – superficial chats about weather, and a small-talk in general. This is not to say networking is a wrong thing. The idea is very important. It’s just in the bank the implementation is based on the insurance salesmen principles and it does not work for all types of jobs.
  • On a technical level, you will be using ‘enterprise solutions'; with a few exceptions these are terrible, bloated pieces of software using .NET, Oracle, Java (often very old version) and lots of legacy code loosely put together ‘to make it work'; you won’t be able to use 3rd party software, do research, you also won’t have access to latest tools easily since this is all subject to entitlements and approval from compliance; now on a surface, this is actually a good thing and banks have it organized pretty well – you need permission to install 3rd party software and that’s how it should be; however, as a technical staff you will suffer from being in a position in which to do your job, you need to either lie and install that OllyDbg or Sysinternals w/o permission or join the game of talking the talk and spend time evaluating even more enterprise solutions instead of actually doing the job protecting the company; the ‘enterprise solution evaluation’ is often offered for free as it is actually a QA ride for the enterprise software producers; it’s a perfect symbiosis actually, but if you want to do more than just web interface (tickets, tickets, tickets…), you won’t find it there.
  • You will be participating in doing audits; when I say participate it usually means this: find an appropriate language to provide an answer to the auditor’s question as precisely as possible, without hinting any other problem that could draw attention to them
  • Let’s face the reality: audits & compliance roles have a very limited scope. They may help to structure certain things, but… seriously. This is actually plain naive to codify the whole security into checkboxes. It just doesn’t work this way, because there is always sth you need to catch up with – technology changes and evolves constantly; plus, whoever comes up with the ideas for audits is often not technical enough to actually understand the technology they are auditing :). Security is not even Schneier’s process anymore. It’s a very ‘active participation’ body requiring in-depth knowledge of technology & threats, same as the assets you are protecting. The problems companies face start at the very core level – you need to know what you are protecting, then you need to understand what you are protecting it from, and then how. It’s very complex, but it can become managable – it just takes some time to change the attitude from passive security control management to active hunting for intruders, lots of analysis & again, you DO need the blessing from your CI(S)O.
  • Work for a bank is not full of cons only; there is plenty for slack time and for me personally, I’d have 2h of actual work every day, would be paid for it well and could use the rest of the time to learn something else; Hah, this is also a good opportunity to learn MS Outlook rules – brutal decision of what to read, what to ‘select all and mark as read’ and you are set. The number of emails you will be getting at a bank is crazy. It’s no wonder alerts are missed as questioning why we even receive all this spam is not well-received. In many aspects it’s all about people who manage you – if you are lucky you will get a manager who is quite technical and has a strong business  acumen. Ideally, a guy who worked in the consulting world before and is a natural leader. If not, you better look for new opportunities :)

Good luck in your career-changing decisions.

CISSP & CISM & Their real value for technical people

November 28, 2014 in Preaching

Let me start from a completely opposite angle first.

I hate CISSP. I hate CISM.

Yup. Yet I recommend them.

And I can say that, because I passed the CISSP exam in 2007 and CISM exam in 2011. Maybe not the best scores, but who cares. I passed.

I hate them cuz they represent the institutionalization of IT security & their role is more a recruitment tool than actually making people make the organizations more secure. A guy who has a CISSP, CISM, but never looked at the code or configured a software product is a drone. And is actually the worst hire for your org.

Now, if you didn’t sit any of them you cannot discuss / criticize them a.k.a. you should shut up.

So, I passed exams for both and then, for a couple of years I paid my annual fees for CISSP.

Then, I realized it’s a non-sense to do so, so I stopped. [Note: many real ‘hackers’ I know who passed CISSP for the sake of ‘consulting work’ do not pay annual fees at all; they let the thing expire; they are definitely smarter than me since they didn’t lose any money and I did]

<ISACA rant>

For CISM I never got a certificate, cuz ISACA people keep insisting for last 3 years for my ex-managers to sign up some stupid papers to prove I am eligible. Now, I am eligible , but the paper requires a gazillion of signatures and my ex-bosses actually did sign them yet missed one or two signatures. Seriously, it’s not just one signature required, but the whole paper needs to be signed multiple times. Who has a time for stupid stuff like this?

So, I am not going to bother my ex-bosses again. I actually respect them and their time more than ISACA. So ignored the whole thing b/s for 3 years. Yet they continue sending me a reminder. Every month. And if you wonder why I didn’t tell them to stop – I was curious how long it will last :)

</ISACA rant>

So, back to the story.

I believe that CISSP and CISM exams are useful, but are a one-off, and – perhaps surprisingly – certificates I could say that are the main ones you should study for if you want to work in the IT security for long.

Just do not pay them annual fees cuz it’s a waste of your dough.

When you pay the annual fees you are paying for so-called maintenance and ‘keeping’ the certificate in a good shape. What does it even mean? Think of it – if you passed BSc, MSc, etc. you don’t need to pay a  maintenance fee, yet you worked much harder to get them and studied at uni, not sat the exam organized by some private profit-oriented institution. Something doesn’t add up here. It’s a cash cow & if you are feeding it.

Despite criticism, both CISSP and CISM exams lead you to a great body of knowledge – one that will change your perception of things. And it should. If you are a researcher, vulnerability researcher, hardcore reverser, anti-corporate, and in general “I do it my own way” you will hopefully realize and be for a nice surprise on how many things you can learn from studying for these exams. It’s actually worth it. Your ‘I can break it’ world is actually very small. Expanding horizons should be a never ending purpose for anyone who is in the business of IT Security. The CISSP/CISM will explain to you a business angle and the core knowledge about security – this is something you won’t learn from a hacking book. And such knowledge about security is a foundation on which you can build a proper IT Security practice. If you deny yourself knowledge then you better be outta here. Do not fight the system, use it. The knowledge you can gain when you learn for these 2 exams is good for you and your future. Just don’t pay more than they are worth.

To conclude:

  • Find a sponsor who will pay for your bootcamp/course/exam, or… just a book
  • Study&Learn – be serious about it
  • Pass the exam, or not – who cares
  • Ignore the certificates
  • Do not pay annual fees
  • Profit (and you will)