An Information Security Place

My pastor writes a blog on our church website that I follow, and today’s message was very good.  Here’s an excerpt:

Life is a long series of “moving-up-a-level” experiences. We move from kindergarten to first grade, or from middle school to high school, or from engineer to project manager, or from club member to club president, or from team member to team captain, or from salesman to sales manager, or from second string to first string, or from busser to waiter. 

In this “moving up” process we spend a lot of time and energy desiring to move up and wanting more responsibility and more money and more control and more recognition—and we spend very little time and energy considering the struggles that are coming with that new level. At new levels there are new challenges.

 

This really struck me.  Almost everyone thinks about the next level and what it would mean for them.  Like Pastor Dave says, it means more money, more control, more power, more fame maybe.  But if we would just stop to see what bad things that new level involves, we might not be so eager to make that climb.

Now, Pastor Dave is in no way saying we shouldn’t strive for the next level.  Look at this quote:

There is nothing wrong with desiring a new level in life—just be sure you are prepared for the new devils at those new levels.

Obviously this is written from a Christian perspective, so you will have to apply the term "devil" to whatever your belief system happens to be.    "Devils" can be a term that can be used for any issue that arises when you move on to new challenges, no matter if you are Christian, Buddhist, Jewish, Muslim, atheist, or whatever.  But the message still applies.  Moving up brings new challenges.  Those can be exciting, but you might want to make sure you are prepared for those challenges before you start the climb (or even start looking for the ladder).

From a personal perspective, I can say that I made the climb early in my career.  I started in IT during the golden age of the 90’s.  If you had a CNE or a even a MCSE, you could pretty much write your own ticket.  Everyone needed a network admin, network engineer, webmaster, etc.  Everyone was growing, and they needed more people to grow with them.  So I sought and got promotions very quickly.  I learned a lot from those experiences, and I don’t regret any of it.  However, I know now through hindsight that I was not prepared for some of those jumps.  I struggled through a lot of those new jobs and levels.  I happen to learn better through doing, so it was good for me.  But not everyone learns that way.

So basically, use caution when seeking that next level.  Be patient and honest with yourself.  Sometimes delayed gratification is better.  Always seek to better yourself, but make sure you are doing it in a smart way.

Vet

Since Alan posted his sadness at the Pittsburgh Steelers loss of coach Bill Cowher, I guess I can post my depressed state over the Cowboys loss to Seattle on Saturday. I am not going to write forever about why they lost or who is to blame (mostly because this is supposed to be an InfoSec blog). It suffices to say that they have simply been beating themselves for the last 2 months.

But, I will always be a Cowboys fan. They are still the most succesful franchise in NFL history (eight Super Bowl appearances – more than any other team – and 5 wins – tied with the Steelers and the 49ers).

And while Romo did blow it, he still has a future with Dallas or any other team. He is very talented and just needs some experience (which he got plenty of this last season).

And while I am talking about the NFL… I know I listed a few things about myself that many others didn’t know (and probably didn’t really care about) when I got blog-tagged, but here’s one more. If you are a Super Bowl historian or just plain NFL fan, you probably know about this bit-o’-football-trivia (quoted from page 2 of ESPN’s Goats, Gaffes, and Blunders site):

Jackie Smith

A member of the Pro Football Hall of Fame and a five-time Pro Bowler with the Cardinals, Smith is most remembered for his infamous dropped TD pass in the 1979 Super Bowl while playing for the Cowboys. Dallas trailed Pittsburgh 21-14 in the third quarter, when Roger Staubach found a wide-open Smith, the team’s backup tight end who hadn’t caught a pass during the regular season, in the end zone. But he dropped the pass and Dallas settled for a field goal in a game it eventually lost by four points.

Jackie Smith is my third cousin.

Vet

I was reading through my many newsletters I receive daily, and I ran across a couple of articles about security vendors warning about spam, spyware, phishing, the mob and hackers teaming up, etc. As I was reading those headlines, I found myself quickly sneering and thinking these were nothing but more FUD from people trying to make another buck.

Then I thought, Wow, I sure am getting cynical. Though it is obvious that there can be a lot of FUD coming from these guys, that doesn’t mean that I shouldn’t read their stuff. I’m sure there are people in those companies that are sincerely trying to help the security industry. It just comes out as FUD when those dang “marketeers” get their claws into it.

Maybe I’m a little gloomy because it has been raining down here for the last couple of days. I need to take a happy pill!

Vet

I have been thinking about the idea of generalists vs. experts in security (which probably translates into any field). I tend to look at the generalist as a jack-of-all-trades (joat), where the individual knows a wide range of subjects. Some people would say a mile wide and an inch thick, but I think generalists are often much more knowledgeable than they are given credit for. The strength a generalist can lend is a wide variety of experience to help solve problems in many areas. The weakness is if you need a very focused skill or knowledge base, the generalist will probably not have it.

A specialist (or expert) is generally looked at as an inch wide and a mile deep. But unlike the generalist, this is probably a fair statement for most specialists. This person is extremely knowledgeable in one or two areas. The expert can give you advice to likely solve any problem that arises in her area. But experts tend to be very tunnel-visioned and may not be able help in other areas.

I would say that a generalist has the advantage of being able to fit in many organizations, so the career path for such an individual may be better because of this. I know that I have a fairly broad knowledgebase, and it has helped me in my career because I had experience in a lot of different areas.

However, from the direction of value to the industry, I think experts have an advantage because they can answer in depth questions with much more certainty than generalists can. If you frequent forums and knowledgebases, you will find that the questions asked there are almost always very pointed questions about a particular product in a particular scenario. This type of question plays into the specialists hands.

As an example, I can see a huge value in the expert knowledge of the people in Accuvant’s assessment practice.  These people totally kick ass in what they do, and it adds a HUGE amount of value to Accuvant’s offering.

I think generalists tend to end up in roles like security evangelists and pre-sales engineers (though I know a couple of SE’s who are very broad and deep in their knowledge of security).

So I guess you can argue this all day without coming to a consensus.  And though I have have essentially taken the generalist path in my IT and security career, I don’t think either is “better” than the other.  It really depends on your proclivity and your basic talent.

Vet