One of the questions I'm occasionally asked is how long I've been "in security". I guess the answer really depends on your definition of "in security"; I've had a job title of "Security X" or have been employed by a "security vendor" since early 2004, but much like the way other people get involved in security, there were security-related duties in previous positions as early as 2000 and a general interest in the field since about 1998. Those duties and the general interest doesn't necessarily qualify as "in security" time, but I like to think it was a good start. It never hurts to get your feet wet and get some basic experience when choosing a career path, especially one that is considered to be somewhat specialized.
Well, over ten years have gone by and the landscape has changed somewhat. Security is a hot topic, much more mainstream than it was several years ago, and has never been a more interesting and exciting field, right? Just like your definition of "in security", that probably depends on your definition of "interesting and exciting" too. Sure, there's "cyber-whatever" now, flavor-of-the-week exploits, the marriage of compliance and security, and dozens of other topics that keep Twitter and RSS feeds humming at all hours of the day and night, but for all of that there's still the debate over vulnerability disclosure, bitching about how "Vendor X is still [insert whatever they're still doing here]" and overall whining about the general suckiness of the industry as a whole. To be honest about it, I've come to realize over the last couple of years that *all* of the topics listed above are, well, boring to me. This isn't to say that those topics in and of themselves are inherently boring, or even that the security industry as a whole has nothing of interest to anyone, but to *me* the industry has become the equivalent of a company party that goes... on... forever. You're there and it's supposed to be fun at first, but then you end up hearing the same old rehashed stories from the same people you would rather avoid in the hallways, and just about the time you find the exit and start heading for it, someone stops you to ask if you heard the latest about [insert "hot topic" here] and what you think about it. Again, that's just my take. Other metaphors may work better for you (or not at all), so like the old saying goes, YMMV.
Before I go on with how I finally realized that the security industry bores me, I'll address what will possibly be some reader feedback saying "if it bores you or if you don't like it, why don't you just quit?". There's actually a good reason why (besides the obvious need to eat and have shelter): I don't *want* it to be boring. I'd like to be around when something that is interesting *to me* happens, but nothing has in quite a while. Keep in mind that I'd rather not see some sort of cyber-armeggedon happen in my quest for something unique and fun, but anything has to be better than a rehash of any topic that has been popular over the last ten years. Anything. Being bored is, well, boring. There were some warning signs; if you recognize any of these, maybe we're in the same boat.
1. I quit reading Twitter and only abuse it now. The @attritionorg Twitter account follows about 225-250 other accounts, but the vast majority of those that are security-related really have little interest to me. I find other accounts like @God_Damn_Batman and.. well, shit, I can't think of another one, more entertaining and useful than most of the security news and commentary found on Twitter. Let's face it, Twitter is really nothing more than a big gang-bang chat room with a character limit. When people post links to news articles, they generally have to shorten the URLs to fit within the limit, so at first glance I don't know where they're going and I typically avoid clicking them. I learned early on with Twitter that posting a shortened link can be fun, though, and I may have been the first Attrition staff member to use it for rickrolling. Other than that, I like posting shit about movies I watch with Mrs. Lyger or other non-sequitor comments and responses that sometimes grind conversations to a halt. Security people talking security in 140-character bites? No thanks. It's a time sink to try to follow it all, so I don't.
2. My Blackberry only has two apps and one is CNN Money. The other is MidpSSH, a little SSH client that allows me to log onto attrition.org to check the box when I'm not sitting at a laptop. Let me assure you, this happens rarely and there's a good reason why. Have you ever tried to run Pine from a phone? It sucks:
But the main reason why I don't have 8327456 apps on my phone is that I don't need them, and because I don't need them, I don't want them. Some people, especially in the security industry, appear to feel that being slaved to phone calls, text messages, and phone apps is some kind of badge of honor. I've seen it at conferences over the past few years; people are more interested in their phones and "being connected" than their actual surroundings. In a presentation? Take a picture. In the lobby? Tweet. I can do without having "the industry" up my ass all day, every day. My Blackberry is used as a contact device when 1) someone needs to call me when I'm not home, and 2) when I need to call Mrs. Lyger on her way home to remind her that we're out of olives. There's nothing security-related that is important enough to make me pay attention to my cell phone more than once a week, and then only for a couple of minutes in one small session.
3. I didn't miss going to Las Vegas this year one bit. After last year's Black Hat / DEFCON gathering, we made the decision to do something different for 2010. We simply weighed the pros and cons of taking 3-4 days off work, finding someone to look after the little monsters, hotel and travel costs, and the general overall hassle of trying to find cool and quiet places in Vegas to have a decent meal or conversation with people we know and like versus seeing those few people we know and like for a few hours a day over a 3-4 day period. We didn't bother standing in lines for $125 badges or the "neat trick of the year" talks last year, but the overall scene and vibe was more than enough to drive us away from BH/DC this year. Pro tip: for anyone tired of the same old chaos and hassle of Vegas, consider checking out SOURCE Boston in the spring. Smaller crowd, the weather is much more agreeable, there are just as many (if not more) interesting tourist attractions, and fresh seafood right on the harbor is a no-brainer. Sure, SOURCE is a another security conference and an industry event, but it's much more relaxed and doesn't come with the "same old same old" found in Vegas every summer.
4. I grin now when people complain about compliance. It's time all of the security professionals out there face it: compliance *is* security. Believe me, I was once of you one, chanting the mantra "compliance is not security" over and over until I was blue in the face. Actually, I still believe that, but I also learned that it doesn't matter what I think. Neither my opinion alone nor your opinion will change the fact that compliance *is* now security because perception is reality. As someone pointed out recently, PCI DSS isn't even "regulatory compliance", it's contractual compliance, but you'll hear of it in the same breath as SOX, FISMA, and HIPAA / HITECH because that's how people think of it. Is it fun? No. Sexy? Not even close. Boring? YES. It doesn't matter. Whatever most people think compliance is, it either is now or soon will be. If you hate PCI DSS, good for you because it sucks, but it's still going to be held as a measure of security despite what you think, what I think, or what anyone else thinks unless the majority of people both in and out of the industry decide that compliance is not security and redefine it thusly.
5. Security-related mailing lists are like an episode of Three's Company. No, I don't mean that they are amusing for thirty minutes a week. Essentially, they tend to have the same characters acting the same way over a topic or set of topics that are always more-than-marginally related. Sure, security mailing lists are supposed to be topical; if they weren't, they would be like the Van Halen mail list where people talk more about fantasy football, bad photography techniques, and chili recipies than the band itself. Every mail list seems to have at least one of several types of people on it: the person who knows more than everyone else (just ask them), the bully, the dolt, the peacekeeper (who tries to keep the previous three off of each other's asses), the person who generally *does* know more than everyone else but only shows it in flashes and then shuts up, and the clueless retard who got on the list and can't seem to remove themselves (not to be confused with the dolt, who willingly sticks around despite receiving what can be ungodly levels of abuse from people they may or may not have ever met face-to-face). Quite often, I find myself reading the first email of a list thread, deleting it, and then a week later reading a response maybe 30 mails down the thread and finding that I don't feel like I missed anything in the 28 mails between. Not all lists or threads are useless or boring, of course, but I've been saving a lot of time by plonking a lot of emails that really don't have any information that I can use, even though the topic itself may hold some value to the industry.
6. I don't care if a security company either buys or gets bought by another company. I used to, especially when I was in a position to make product recommendations for a previous employer, but now I couldn't really care less if Company A absorbs Company B, even if the transaction potentially brings the promise of sleek new technology or more secure platforms. From what I've seen, most of the speculation about these deals from within the industry is just that: speculation. There have been a few good insights here and there from people understand the short-term and long-term impact of mergers and buyouts, but most of the reactions you'll see will be something along the lines of "OMG I CAN'T BELIEVE INTEL BOUGHT MCAFEE, NOW THEY'RE BOTH GOING TO SUCK EVEN WORSE THAN THEY DO NOW". Seems to me like a lot of those types of comments are uninformed overreactions of disdain and angst, because it's industry-cool to hate to see big companies become even bigger or to see small companies "sell out to the man". Buy and sell away, all of you security companies. It's happened before, it'll keep happening, and unless it affects me directly, no harm, no foul, no care. Speaking of McAfee, their stock shot up about 60% the day the Intel deal was announced, so the only thing that really bothers me about that one is that none of our insider buddies tipped me off so I could have gotten into MFE the day before or at least round-tripped it some time that day for some quick scratch.
7. I don't tinker anymore. I've pretty much stopped building my own networks, trying out new software (except for upgrades to stuff I already use), trying to figure out how the newest exploits work, and doing break/fix stuff on my own boxes to see if something "neat" (tm PaulDotCom) will happen. Between the day job and keeping up with OSVDB, there isn't a lot more time to spend on security-related stuff, and I can't really say that I have a great urge to take away from any more time with Mrs. Lyger, Netflix or sleep. With that said, I don't really miss the time I used to spend dinking around with new security-related stuff or reading logs. Tinkering was time well spent when I had time for it, but I've found that other things are more interesting and rewarding to me now. Maybe someday I'll get back around to it. Dunno. Not worried about it. :)
Some people might take my observations and comments above as a condemnation of the security industry as a whole, but that's not the case. Certain aspects of *any* industry can become tiresome either fairly quickly or over a long period of time, especially when someone dedicates a relatively large chunk of their time to one specific interest. As I mentioned, I do hope that security will become an exciting field for me once again (since I still do have the day job and work on OSVDB several hours a week); hopefully avoiding some of the overload, annoyances and less interesting aspects will help feed my still-waning interest.
Until then, there's always Mrs. Lyger, Netflix, sleep, and burning stuff in the kitchen. Gotta start somewhere.