[attrition] rant: 7 Ways That I Can Tell That the Security Industry Bores Me

lyger lyger at attrition.org
Mon Sep 20 06:28:13 CDT 2010 

http://attrition.org/security/rants/bored/

Mon Sep 20 06:13:29 CDT 2010
Lyger

One of the questions I'm occasionally asked is how long I've been "in 
security". I guess the answer really depends on your definition of "in 
security"; I've had a job title of "Security X" or have been employed by a 
"security vendor" since early 2004, but much like the way other people get 
involved in security, there were security-related duties in previous 
positions as early as 2000 and a general interest in the field since about 
1998. Those duties and the general interest doesn't necessarily qualify as 
"in security" time, but I like to think it was a good start. It never 
hurts to get your feet wet and get some basic experience when choosing a 
career path, especially one that is considered to be somewhat specialized.

Well, over ten years have gone by and the landscape has changed somewhat. 
Security is a hot topic, much more mainstream than it was several years 
ago, and has never been a more interesting and exciting field, right? Just 
like your definition of "in security", that probably depends on your 
definition of "interesting and exciting" too. Sure, there's 
"cyber-whatever" now, flavor-of-the-week exploits, the marriage of 
compliance and security, and dozens of other topics that keep Twitter and 
RSS feeds humming at all hours of the day and night, but for all of that 
there's still the debate over vulnerability disclosure, whining about how 
"Vendor X is still [insert whatever they're still doing here]" and overall 
whining about the general suckiness of the industry as a whole. To be 
honest about it, I've come to realize over the last couple of years that 
*all* of the topics listed above are, well, boring to me. This isn't to 
say that those topics in and of themselves are inherently boring, or even 
that the security industry as a whole has nothing of interest to anyone, 
but to *me* the industry has become the equivalent of a company party that 
goes... on... forever. You're there and it's supposed to be fun at first, 
but then you end up hearing the same old rehashed stories from the same 
people you would rather avoid in the hallways, and just about the time you 
find the exit and start heading for it, someone stops you to ask if you 
heard the latest about [insert "hot topic" here] and what you think about 
it. Again, that's just my take. Other metaphors may work better for you 
(or not at all), so like the old saying goes, YMMV.

Before I go on with how I finally realized that the security industry 
bores me, I'll address what will possibly be some reader feedback saying 
"if it bores you or if you don't like it, why don't you just quit?". 
There's actually a good reason why (besides the obvious need to eat and 
have shelter): I don't *want* it to be boring. I'd like to be around when 
something that is interesting *to me* happens, but nothing has in quite a 
while. Keep in mind that I'd rather not see some sort of cyber-armeggedon 
happen in my quest for something unique and fun, but anything has to be 
better than a rehash of any topic that has been popular over the last ten 
years. Anything. Being bored is, well, boring. There were some warning 
signs; if you recognize any of these, maybe we're in the same boat.

[...]

More information about the attrition mailing list