Let’s face it – being a security expert is difficult. While security technology is very difficult, dealing with people, especially with people who don’t work in the security field, is far more difficult. Why is that, you say? I have a list.
With respect to David Letterman and Rodney Dangerfield, I present my list of reasons security experts get no respect.
#11 – You never have good news.
All you have to do is walk into your manager’s office, and sit down with a serious expression. There’s no need to say anything. Your boss will know. “Oh God. Now what?”
It’s not like you are going to say “We don’t need to buy any new hardware” or “Our people will meet the schedule.” Of course not. That never happens.
It’s no wonder your boss wishes your office was on the far side of the moon.
#10 – Others don’t understand you.
As soon as you start talking about the technology of security, like key exchanges, passing the hash, entropy, transport security, padding Oracle attacks, as so on, you might as well be talking in Latin. A sure warning sign is the boss asking for a whiteboard diagram, along with an Aspirin.
#9 – Any problem costs money
A software engineer can add a new feature to a system, and people will pay for it. But some security protections will remove features – and that’s bad news. No one wants to spend more money and get fewer functions.
Even security patches are a problem. If customers have to pay to fix something that should never have happened in the first place, the customers get upset. And if this disrupts their business – that’s even worse.
Even if the problem is internal, it will likely need time and/or money to fix.
So in short, you bring bad news no one can understand, and it will cost money. It’s no wonder your boss doesn’t want to see you.
#8 – You can’t talk about any hacker activity.
Now suppose you discover someone hacked into your system. This is one of the most interesting things that can happen to a security expert. So naturally you can’t talk about it. This might affect company sales or stock prices, you see. You have to learn to emulate Sergeant Schultz.
#7- You can’t talk about any vulnerabilities in your systems.
And the same thing is true if you discover a weakness yourself and get it fixed. If it’s in a web service, it’s best to pretend nothing happened. And if it’s in a product, then that’s even worse. You don’t want to be responsible for telling hackers how to break into the old systems. Your customers might get upset. Loose Lips Lose Customers.
#6 – You can’t share your tools with your peers.
Suppose you develop a neat tool that tests the security of your system. While other professionals might gain respect by sharing cool tools, if a security professional publishes a hacking tool, someone might use that tool for evil purposes!! Managers have one word in their minds – “lawsuit!” So if you develop a cool tool, it’s best if no one knows about it.
#5 – If you do nothing about security – it just gets worse.
Once a technological barrier has been crossed, the job is done. Time to move on.
Unless one deals with security.
To quote the NSA, Attacks always get better; they never get worse.
A perfectly secure solution for 2004 is a security nightmare for a 2014 system.New tools, new attacks, and clever programming will decimate the security of an old system. In any other field, people can look back at a past success and think “That was a good system.” Security is the exception. People with perfect hindsight will gladly point out “You really screwed that one up!”
#4 -You have to run as fast as you can to stay in place.
In most engineering fields, you can learn the basics, and become an expert in a single area. And one can make have a nice career getting better in one niche area.
But if you are responsible for security, the rules are different. You have to continuously improve your skills in all areas if you are responsible for security.
In other words, you are always busy. And your boss wonders why you can’t get your work done.
#3 – A flaw is a flaw
In engineering, you can have trade-offs of functionality and features. You can ask a manager to decide which feature is more important. And they can wait 6 months before adding new features.
Not so with security. All flaws are a crisis. While it’s true that some may be actively exploited, while others are not. But that can change in a moment’s notice, especially if the flaw is discovered publicly. Ever notice how people react when a company claims a security flaw is small?
#2 – You have to be perfect to be acceptable.
In some systems, managers will love you if you can improve performance 25%, and reduce cost %20.Of if you had a goal of 75%, and reached 74%. That’s pretty darn close.
Close doesn’t count in horseshoes and security. It’s not like your boss will be happy that you fixed 99.9% of the security problems. Nope. If you are a security expert, you have to be 100.00% perfect. After you walk on water.
And now – the #1 reason why security experts get no respect:
#1 – When you do a absolutely perfect job, nothing happens and nobody notices.
Yup. If no security problems occur, and nothing happens – you are either lucky or extremely gifted. Or perhaps you are deadwood. Whose to know for sure?
So in summary we have someone whom no-one understands, and doesn’t provide any clear evidence of their worth, yet they are always busy doing obscure activities, and always costing the company more money.
Now imagine how your boss describes you to their boss.
[Note – this is something I wrote nearly 6 years ago. I thought others would enjoy it. It’s based on my observation of the industry, and not based on my experience with any particular company. :-]