Job Title/Description: Information Security Architect
What is a typical day like for you?
The day starts with checking the news to see if there has been a major event. Security events can spike due to hacktivists, government sponsored groups, or other parties. Presuming everything is status quo at five minutes to midnight, we go through the reports and alerts from the graveyard shift. What were they working on, what needs to be followed up on, and is there anything interesting happening on their projects? The rest of the day is split up between meetings on projects, business requests, analysis, and design.
What is the most enjoyable part of your job?
That every day matters. I may have created a 99 percent secure network yesterday, but today a new exploit was discovered that makes me have to come up with a completely new set of defenses and alerts. You can never be 100 percent secure. No matter how good you are, no matter how good I am, there’s always someone smarter. There will always be someone who asks a question that no one else has asked before and blows the doors off what everyone else thinks is possible. That not knowing what’s next is an adrenaline rush you don’t get tired of.
What is the least enjoyable part of your job?
Security isn’t cheap. Worse still, in security, if you do everything right then most likely nothing happens. You don’t get hacked that day/week/year. You don’t have an internal breach leaking a million credit cards and user accounts onto the web. Everything just works. The problem with that is when you need new equipment, or personnel, and you ask for the budget the most common response from management is “But nothing has happened.” Worse still, they’re right, as far as anyone can tell, nothing has happened. But consider this: right now your car isn’t wrecked and you don’t have any injuries. You wouldn’t go without car insurance or health insurance would you? Right now your home is just fine, but you have insurance just in case there’s a fire. Information security is quite similar. You want us there before the house is on fire. The cost of security is always less than the cost of recovery after a breach. You just have to make that clear to management and the financial types.
Explain the path you took to get to this job (education, internships, etc.).
I got my BS degree in Computer Information Systems. You might ask why I didn’t choose Computer Science. Frankly, it’s because Computer Science was in the College of Engineering and Computer Information Systems was in the College of Business. The math requirements are remarkably easier in the College of Business. I’m capable of the math, but honestly, unless you’re into a hard science, building bridges, or bombs, you don’t need the advanced math. So CIS it was. From there I started out as most techs do, working on a help desk and doing technical support. After a couple years I followed the traditional path and advanced into System and Network admin work.
That’s where I found the interesting work. Not the individual systems, or the networks, but how they were interrelated. How problems with one impacted the other, and how external factors, whether from inside or outside the network, could impact both. Traditionally people would go on to either system or network architecture. But designing windows clusters and high end routing weren’t exciting to me. Windows, Linux, and OS X, are established. Millions of servers get built with them every day, and when best practices are followed, largely come out looking the same. Networks get built. Packet A has to reach Port B whether it’s on the next rack, or on the next continent. And again, when best practices get followed it all just works. So I opted for the third, and in 1999 a much less traveled path, Security. Security was evolving and the threats changing at an incredible pace. Every day new ideas were being developed, new challenges, new attacks. Information Security wasn’t going to be doing the same thing day in and day out. That’s when I knew it had me.
Who or what was the greatest influence that set you on this path?
I didn’t really have any outside influences that set me on this path. I’ve been playing with computers since I was eight. The mere concept of people paying me (and quite well at that) to keep playing with them continues to boggle the mind. That being said, the choice of security was probably most influenced by my natural instincts towards protecting things and people. The idea of someone shooting at me for a starting cops salary just seems offensive. With security, I have something - I can protect businesses and people against threats that while not life and limb, can be incredibly damaging and can originate from a great many more places.
What advice would you give others seeking a similar job?
First rule of this job is: "Always assume the other guy is smarter than you." Yes, I’m aware, you’re a genius. You’re special. Guess what, so is the guy attacking you. And what you can think of in two seconds he can think of in one. He’s got an army of systems to attack from. You don’t know which direction they’re coming from, and they’re coming all at once. You can never stop everyone. You can be the best security engineer in history. You can develop defenses unlike anything that’s ever been seen. And you’ll achieve the mythical 5 9’s and stop 99.999 percent of all attacks. But that last guy, he’s getting in if he wants to badly enough. He’s got unlimited time, infinite resources, and motivation. So what do you do? What can you do? You can make the job hard enough that they decide to attack someone else because it’s not worth the work. You make it hard enough that you just aren’t worth the effort. And you never, ever call them out. Don’t be Sony.
You have to enjoy the never-ending battle. What you did yesterday was great, and today you were a rock star. But tomorrow, there’s going to be a 16-year-old kid in China, or Russia, or the United States who is angry at the world and taking it out on your network. But that’s okay, because you’re there.
Lastly, I’ll give you the secret to the interview. When I’m interviewing someone for a security I job, I always start with one question: "Have you ever been hacked?" If they answer “yes”, then I want to know what happened, what was missed, and more importantly, what did they do to make sure that the holes that were used were fixed so they wouldn’t happen again. If they answer “Not that I know of,” then I know they might be good at what they do. But I want to know how they came to that conclusion. What sort of defenses did they have, how were they monitored, what alerts do they have in place that led them to believe they were safe. If they answer “No”, then for all intents and purposes that interview is over. Oh, I’ll ask the same questions that I do for the "Not that I know of" answer. But they’re not getting the job and they aren’t security engineers. Do you know why? It’s because of that last .001 percent. They’re that good. They got through all the defenses in place, and they didn’t leave a trace. Some attackers are so good you’ll never know they’re there unless they want you to, or they make a mistake. And they rarely make a mistake.
How does your job make a difference?
We are risk management. IT’s job is to keep things running. There are systems to be built and maintained, networks to be created, and all of that needing management and users needing access. We’re there to mitigate the risks those create. Despite popular belief, our job is not to tell people "No." Our job is to tell people this is what can happen if. If you don’t encrypt that credit card data, and if the web site it breached, this will happen. We can mitigate the risk of that happening in any number of ways. Our job is to find the right one. Not the most expensive one, and not the free one. The one that mitigates the most risk for the required activity. We protect millions of bits of information transferring at light speed across the planet. We protect our information, and more importantly, we protect Your information.
How do you use science, math and technology in your job?
Our job is technology. Systems and networks all linking together that need to be secured. Our use of science is limited to that without it, the tech wouldn’t exist. Computers didn’t burst fully formed from Zeus’s forehead but have evolved as the science as changed from ENIAC to Siri on your iPhone. And math, ahhh my old nemesis, we meet again. Math and I have a hate/don’t care relationship. I hate it, and it doesn’t care, it still needs to be done. Fortunately, it’s not what you’d call heavy lifting. It is budgets and design trade-offs to meet those budgets. Architecting a masterpiece is all well and good, but you have to be able to pay for it.
Is there one course you wish you had taken in high school but didn’t? Why?
More communication courses would have been useful. A large part of this job is explaining what is going on and what could happen. The differences of communicating with other engineers versus communicating with financial executives can be extreme and a more nuanced approach is often better than reminding them that they’re a half step evolved from the chimps in the trees and what you’re saying is actually rather important. (Oh, and before you get the wrong idea, both groups fit into that category depending on the situation.)
What makes this job right for you?
Because doing this job excites me. I’m not bored. It’s a never-ending game against some of the smartest people on the planet. Whether they’re on your side or not, they make you better because you have to keep up. In security, if you don’t keep up, you will not catch up. So I found a job that keeps me on my toes. A job where you’re never bored is a job you can do forever.
What's the most bizarre or silliest thing you’ve ever done in this job?
In security you have two choices. Have a sense of humour, or have an ulcer. Your attitude is seriously the only thing that prevents the later. You can stress over every little thing, and be far too serious, or you can have a bit of fun now and then. I think the best prank I pulled on a co-worker was when I found his computer unlocked one day. I opened up a Notepad window on his box and typed in one question: "Do you know what I changed on your system?"
He spent two weeks crawling through that box. Checking every setting, every file, everything he could think of. Cursing at me in dead languages the entire time. He finally gave up and upon surrender asked what I did. I told him, I started Notepad and wrote the question. That was the only change. He turned a lovely shade of purple. Heh! But it taught him to lock his system, and everyone had a great laugh. Well, everyone else did anyway.
What activities do you like to do outside of work?
It depends on the day. I used to do stand-up comedy, and still do the rare open mic night. I like to travel. I read, and play way too many video games. I’ve got a ridiculous movie library that I like to watch. I don’t play sports, and I miss flying planes (real ones, not r/c), but it’s an expensive hobby.
You just won $10 million! What’s the first thing you’d do?
Buy my own plane so I can fly whenever I like. Gather my friends for a legendary pub-crawl, and then a week later go back to work or do private security consulting. But I’m not giving up the gig; it’s just too much fun.