It really happens… almost every time I talk to someone who isn’t in the tech industry or the cybersecurity space. This is the primary reason I try not to talk too much about what I do for a living. Well, it’s that reaction above, and then the inevitable look of disappointment when I tell them what we really do in cybersecurity.
While I think the disconnect is an interesting phenomenon fueled by Hollywood and such, I believe ultimately this does damage to the security profession. Why? Because there are lots of new persons who can’t wait to get into the field and go track down bad people and hack cool things and then they get into the industry and realize that 95% of their life is staring at a SIEM dashboard (or the like) or trying to stay awake in meetings. I suppose this is similar to when someone says they’re in archeology and immediately I think of them as Indiana Jones or Josh Gates, and their real-life is as far from that as you can get. So in that regard I suppose cybersecurity isn’t any different.
OK, so to my point…
While I believe that attracting new faces into our field is great, I firmly believe that we as the industry representatives should be dealing out a healthy dose of realism. This goes double for when you’re presenting at a security conference or up on stage somewhere else. Alex Stamos had a great Blue Hat talk recently about how everyone’s worried about the top tip of the pyramid, while a vast majority of the problem we need to solve is unsexy, tedious, and potentially really never going to earn you a Black Hat talk.
My ask of you security professionals: Get real when you’re talking to potential newcomers to our industry. Tell them about the problems we need to solve, the big ones that we’re ignoring. Then tell them why they’re so important, and while you’re at it get to work on those too. Because while creating the next exotic 0-day with a theme song, website, and logo may be fun — it’s really not helping the greater good in a measurable way. And that is what we need right now.
