Future Proof Your Security Job

June 10, 2015

*This is the final post in a series on future proofing your security job. The rest of the posts are: 14 Things and 12 Tools Every Security Organization Should Own, All of My Old Jobs No Longer Exist and *Do You Still Want to be a Fireman?

The idea for this series first came when I started to think about all of the old jobs I had. Those positions didn’t exist today. I felt lucky. Then I thought back to what I was doing to make sure I was always ahead of the curve. But first, let’s talk about some key factors for a job that may no longer exist.

Roles That Aren’t Future Proofed

The following are some generalized roles in Information Security that are higher risk for disappearing. Does this sound like you? Don’t panic, it could be years before anything happens. But that’s the point of the second part of this post.

  • **A Tool Can Do It — **A lot of the activities I used to do are now replaced by security tools. Before you say “a tool can never do this,” someone is fast at work trying to prove you wrong. My employer, Cigital, was performing code reviews before there were tools that could do it. They created a tool because they needed to get more efficient. Now Fortify, Appscan, and Veracode have replaced my human hours of manual code review.
  • **You Aren’t Adding Value — **We all perform basic tasks, but the hope is that we add value to those tasks. You should be taking raw data from one of the tools above and providing context, actionable guidance, or an assessment of the risk to the organization.
  • **You’re Reaching the End of the Maturity Curve — **Gartner does a nice job of mapping information security activities to a maturity curve. (Don’t get stuck in the trough of disillusionment.) If you’re nearing the end of the curve, it’s become a commodity. Anti-virus was probably the first activity I remember seeing at the end of the curve. While there were once teams to manage anti-virus, today it’s probably not someone’s sole job.
  • **There are more candidates than jobs — **Infosec has been a great area for job security in general because there aren’t enough of us. As the tools and maturity change, there are pockets of security where there are more people than job openings.

A quick note on exceptions. Any good Cobol programmer today will tell you that no matter what exists, you can still make a good living regardless of the above. It’s true. In fact, if there is more demand than supply, you’ll always be able to move to another job. There are so few people who can do a manual Cobol code review that it’s still a good consulting gig. (No single company wants a full-time Cobol code review person though.)

Future Proofing Your Security Job

So now you’re in a funk because eventually your job is going to be replaced by a tool and you’ll be in a trough of disillusionment. What do you do?

  • **Pay Attention to Everything That Isn’t Your Job — **Especially for those in their first few years of security, you’re only paying attention to your job and your tasks at hand. I’ve heard from many people who don’t necessarily understand how the pieces fit together. The more you understand the pieces to the puzzle, the more you’ll be able to grow with the team regardless of new tools and maturity.
  • **Learn As Much As You Can about the Business — **15 years ago I used to think that the business didn’t matter. Security was black or white. It isn’t. Understanding your business processes, how your company makes money, what goals the organization is trying to achieve overall, and how the bigger pieces come together will give you a strategic perspective. Imagine two penetration testers finding the same tiny vulnerability in a business process. The pen tester who doesn’t understand the business rates it a low and moves on. The one who really understands the business understands the greater impact to the company and how the vulnerability can have a chain reaction further down the process. It’s the same set of security skills with a vastly different outcome.
  • **Learn Something Else — **It’s one of my mantras. Just because you’re in security doesn’t mean you shouldn’t learn cloud, mobile, aviation, whatever it is that will interest you. If you have the opportunity to dig deeper in security or build a doorbell that notifies you via text message that someone is there, I’ll pick the doorbell. Why? Context. Back to the business example, the same can be applied to technology overall. The more you understand how technology works, the more value you’ll bring to the organization.
  • **Take Risks — **The assumption in this entire post is that you’ll stay in the same role too long. Before you move, your job will be out of style. Even if you’re moving around your organization, make sure you’re exposed to new and different activities and processes. Just because you’re a pen tester doesn’t mean you have to be a Senior Pen Tester and then a Pen Test Manager. Jump over to forensics. Join the Mergers and Acquisitions Security Team. CISOs and Managers: Make sure to let your people move across positions, not just up!
  • **Have Fun — **I have this goofy philosophy: If you’re having fun, you’ll perform at your highest potential. I know too many super smart security people who aren’t having fun and it shows in their work. If you want to jump into forensics, do it because it interests you, not because you think it’s a safe job or higher salary. Think about what would make your job fun and do your best to make it fun. (In this video, I talk about the idea of equalizers. Your job can’t be 100% of what you’re looking for, but something else should make up for it.)

No matter where you are in your career, think about how you got to where you are today and what you want to do going forward. If you’ve had an interesting career path, join my podcast to tell your story (send an e-mail to podcast@jayschulman.com). Almost all of the recommendations above take time, so don’t wait until you’re forced to think about it.

I have one final thought. What if the tool that is replacing us is the Uber for Security? Check out the video below for my thoughts on the on-demand security economy.