I know so many people have asked this question before in security, but just what is it we are trying to do? Are we trying to make a difference in security, or are we just trying to make a buck? Of course, you can ask the question, “Why can’t it be both?” But really, are we trying to do something about the state of security? If fact, why don’t I ask the real question: do we even care about the state of security? Or do we simply want things to keep rolling like they are?
Let’s look at it this way. I liken security to the medical field. I have run into doctors and nurses before who would like to be out of a job, meaning they would love it if modern science would find a cure for the disease in which they specialize (a lot of those people work right here in Houston at the MD Anderson Cancer Center). If their area of specialty was no longer needed, they would rejoice, and they would move on to another disease to fight.
But at the same time, you have some of those same medical professionals who make you wonder if they are just there because their momma wanted them to be doctors or because nurses make pretty good money. They do their job without much interest and bed-side manner, and then they go home.
The same is true about security. There are some security professionals who want to fix security ills. They want their family and friends to be safe from harm when they go online. They want everyone’s data to be locked safely away from criminal snooping. They care that the Internet is a dangerous place, and they want to do something about it.
Then there are others who heard in high school or college that information security seemed cool, and it also tended to pay big paychecks (not always true, BTW). They show up and maybe write a couple of policies or sell a couple of firewalls. But they are not there to make things better.
Now before we slam these people, we have to ask ourselves if they are really evil or bad. I think that most are not. They simply choose their profession based on misguided principles. The medical field is just too important a choice to make based on the fact that the men in your family have been doctors for three generations (ever see Gross Anatomy?). The same is true for security. It is not a field you go into just because you thought WarGames was cool (I guess I am also saying something about watching movies – I’m not exactly sure).
So I guess what I am asking is for all of us to be honest. Take a close look at what you are trying to accomplish. Security is a field that MATTERS. If all you want to do is make a buck, then do something that won’t get anyone hurt or ruin someone’s life (not sure what that is right now, but it dang sure ain’t security or the medical field). If you are trying to help others and you have a talent for security in some way (there is a lot of room for different talents in security), then let’s make security a goal we can all pursue together.
And hey, if we make a buck or two in the process, then we have proved that capitalism works.