I read the following article over at Richard Bejtlichs Taosecurity blog. I haven’t commented on his articles in a while, so I figured he was due for some feedback, only this time I agree with his sentiments 100 percent.
One of the comments that really struck the whole heart of the issue in my eyes was from a reader who commented that he had struck up a conversation with a guy while at the mall. The guy basically went on to state that he was getting into network security to get one of those “6 figure salaries” that he hears so much about.
This is not a problem that is inherent to network security, but to the IT industry as a whole. This was really prevalent during the dotcom bust of the late 90’s and early 2000’s. I remember reading articles in magazines talking about developers being lured away from jobs the way that NBA superstars are. Now, we have the same type of talk about Network Security. I thought it was ridiculous then, I still do.
What is the result of sensationalist talk like this? Unmotivated, rushed to get educated, and unqualified individuals filling sensitive positions that are merely money chasers and are only willing to put in their 9-5. What is the result, a large surplus of unqualified workers filling job slots. What’s in store for the network security field? If what has happened to the development community is any indication, these “menial” and entry level positions of Network Administrator will get outsourced to save costs, blocking promising and talented administrators from the field. Those that get the jobs out of trade school will be unqualified, creating poor network infrastructures, and larger holes. Just like menial coding jobs get outsourced or offshored, and create bugs and security holes get created in software. Thus the cycle will continue.
What businesses fail to understand is that it’s not the money that makes personnel good, but their understanding and dedication to the job. When people ask me how I got involved in development work, I tell them I got involved with it when I was young, fell in love with the work, and I’d be doing it for free. My degree was a result of my dedication to the work, not as a result of my desire to earn money. Everything else just fell into place. I don’t chase the money (although getting paid is nice), but I’d still do this for fun even if I wasn’t getting paid. That’s the kind of dedication network security folks are facing, hackers who love to hack, and programmers who love to program.
So lets compare and contrast. The dedicated hackers who do it for the love of hacking, oh and they just so happen to sometimes get paid by organized crime for their skills, or the 6 figure 9-5’ers who have a 2 year degree from a trade school, or a business degree with IT emphasis? I agree with Richs statements, and I weep for the future of the network security field. So when does the flood of clueless articles in business magazines talking about the failure of network security begin?