Somewhere in between Clyde's tirade and Stephen's resides the truth. No, security is rarely, if ever, a top priority, though accepting, mitigating, and understanding risk should be. Having consulted for a bit myself, I've seen both ends of the spectrum here, and the truth is that there *are* companies who take IT Security more seriously than others, generally based on how critical technology is to their business, and what the nature of the threat is. For example, banks and credit card issuers will take IT Security far more seriously than say, a graphics design firm, based on their visibility and the nature of the business. As for vendor widgets winning out in a cost-benefit analysis, as above, this can be true in context, but also patently untrue as well. Closed-source bigots operate on the same sort of bad faith as open-source bigots. I provide my employer with the best tool for the job within the constraints I'm provided, and that can mean anything from an open source tool or OS to a canned solution, again, depending on the context. Companies don't hire brainpower??? Wow. What a narrow and depressing way to look at the world. There are scads of workplaces that foster individuality, innovation, and creativity in their corporate cultures, and I've had the pleasure of hanging my hat at several over the years. The secret (I suppose this is addressed to Stephen) is to NEVER SETTLE, and to dig in and know enough to stay put when you find one of these gems. Clyde, there's an expression from Ken Kesey: "No one else is going to take your bad trip for you." I think it's relevant at the moment. Stephen, good luck to you. Keep the faith! The diamond-in-the-rough is out there if you're willing to look for it, and willing to release some preconceptions about what exactly it might be. --shawn [ Spanner in the works rather than cog in the machine, by choice, inclination, preordination, and pig-headedness. Try it sometime, it's fun! ] > -----Original Message----- > From: Clyde [mailto:lugh-clydeat_private] > Sent: Thursday, 05 December, 2002 11:34 AM > To: securityjobsat_private > Subject: Re: Stop me before I consult again > > > In-Reply-To: <20021204003648.EE0FD8028at_private> > > Well, no wonder you're not happy; you need a reality fix. You > are looking for the > impossible and will never find it. > > No company considers security a top priority nor should they. > Security isn't a money > maker for anyone. Even security companies are in the business > of selling, not security. > Therefore, security is like insurance - it's something you > need to protect the business, > but it isn't the business of the company. That means that any > company with security > as a top priority would soon go out of business because their > priority isn't on the > business. > > Because security isn't the top priority, it will never have a > very big piece of the budget. > That means that the company is always looking for just enough > security and no more - > their definition and not yours. Building custom solutions to > complex security problems is > very expensive and slow. So, companies aren't likely to do it > or be able to afford it. > Therefore, they have to use commercial-off-the-shelf tools to > solve their security > problems. As those aren't perfect, they won't give a perfect > solution, but it is likely to > give them "just enough security". The cost/benefit analysis > will almost always make > vendor widgets win out. > > If you are in an organization by yourself or you are an > absolute dictator of the > organization, you can make things happen very efficiently. > Otherwise, you have to work > with people. For better or worse, everyone has different > ideas and agendas. They also > have ambitions and goals that probably don't include you in > any way, shape, or form. > Making all that happen on a day-to-day basis is called > politics. It's ugly, mean, and > inefficient. However, it is a fact of life in business. (OK, > it's a fact of life in all human > social engagements.) You can either fight against it and get > yourself killed or you can > play the game and get as much done as you can. (Third option > - stay out of the way > and do what you are told.) There really aren't any other choices. > > BTW, of course you are solving the same problems over and > over. Most companies > aren't nearly as unique as they think they are. They also all > have the same threats, > risk, and vulnerabilities. That's because they all use the > same systems, tools, and > methodologies. That's why they need your expertise. If they > really were unique they > probably wouldn't need you. They hire you because you have > the knowledge that can > be quickly and easily plugged into the problem. Companies > don't hire brainpower; it > usually isn't needed in business and often gets in the way. > > So, good luck finding your ideal job. I don't believe you > will. If you think you have, I > doubt you'll be happy in it for very long. > > Clyde > > > > > <snip> > > > >Well, it's been roughly a year since I first posted here to > the securityjobs > >list, and I still haven't found any permanent position I'm > interested in. I > >am getting to -really- dislike consulting---spend too much > time looking for > >contracts and end up dealing with too many bozos, solving > the same problems > >over > >and over. > > > >So, I'll ask the list again: anyone out there looking for, > or know of someone > >looking for a serious information security goon? I'm a UNIX bigot > >(I use OpenBSD by preference and edit everything with vi, if > that helps you > >peg me), and spend a lot of my spare time writing > statistical intrusion > >detection code. In short, I'm really not looking for > entry-level stuff. > > > >The ideal employer I'm lookin' for: > > > > -Considers security a top priority > > -Isn't already married to vendors for their security widgets > > -Is organised such that a single motivated individual can make > > things happen on a day-to-day basis > > > >Ideally, I like working for smaller shops---startups, > previously. The main > >reason for this is I prefer to build things from the ground > up rather than > >try to fix 'em after the fact. I have experience working in > just about every > >kind of environment from brand-new startups to > multinationals, from research > >institutions to financial services companies. > > > >I won't bother posting a resume, but if anyone is interested > I can supply 'em > >with one. I currently live and consult in the Silicon > Valley/San Jose area. > >I'd be willing to entertain the idea of relocating for the > right position. > > > >Thanks for your time. > > > > > > > > > >-spb >
This archive was generated by hypermail 2b30 : Tue Dec 10 2002 - 10:03:10 PST