Total Pageviews

Aug 16, 2006

Dead, but not buried?

After a couple of years as a consultant in the field of information security, it looks probable that I might be moving away from this field in a couple of months time. Its been serendipitous experience for me in this area of work. The only prior knowledge I've had in this field had been a couple of information security courses at varsity.

It was with high expectation that I started working in this field, but that was dashed quite quickly when I began to realise that most of the interesting work was done already, or was being done by specialist computer scientists. All I had to do was to use the work they did to prove to others that they were indeed right (if u know wot i mean). Anyway, that phase is almost done, and I might be moving to another side of engineering pretty soon.

Now might be an apt time to share some of my experiences in this field:

1. Security is one of the last items in the list of priorities amongst the clients I've worked with. Some of my best work has been broken down because the client did not understand the importance of change (and why should they? "if its working fine, why mess around with it?"). I've often compared IS consulting to flogging a dead donkey. Yea, yea - so its my responsibility to educate them? Screw that - I'm an engineer, not a primary school teacher...

2. The 'sensational' part of security is the cool tools and techniques to demonstrate a hack eg. breaking an XP password, or surfing the internet when other cannot, or messing around with someone else's machine. These little tricks earned a lot of respect amongst friends and colleagues.

3. Anyone can be an expert in this field. All you need is some experience working with OSs and Cisco products, and a keenness to play around with open-source security software.

4. Very few keep up to date with the latest hacks. Its unlikely a minion company may be affected by an attack because of the effort and skills required.

5. Having said all this, the glorified role of a IS consultant is still an essential to many major organisations like banks because, like every aspect of modern business, bad news can have serious negative implications on the services offered by an organisation. When the sh!t hits the fan, everyone gets to feel it. I've not heard of any such news in my years in this role, but, like 9/11, anythings possible. In my opinion, the information security field is a dying field, as safer options for performing essential functions will begin to appear - and the role of a hacker will begin to diminish.

No comments: