[bitexploder]

I have been an information security consultant for a long time. Software dev background. 2006 start app sec consulting -> senior consultant —> principal consultant -> CTO (of small consulting firm) -> get bought by NCC start my own company 10 yrs ago -> CTO/managing principal -> sell company -> still consulting. Done so many different things but the common theme is app sec. Finding bugs and risks in software via reversing, assessment, threat modeling, and code review.

Do I still love it after 17 years? no. A lot has changed. A lot has not. I still like it most days. By far my favorite thing has been building a team and teaching others what I learned. I hit burn out here and there. I think computers and tech are different and objectively a little less fun now for this field. When I started I could find a bug in a system and write an actual exploit (actual machine code!) for it by hand in a reasonable time scale and that was always really cool. Now teams of people are required to achieve the same exact goal. Just one of many examples.

So anyway, some get off my lawn cause I am older now, some is just me changing what I like and want from life, some is tech changes. It’s still a great field as a consultant. Show up. Hack. Write report. Leave. Never be a CISO, you can’t pay me enough to do it. The end.

[komali2]

Sounds like folks like you must have been doing a really good job if it's that much harder to exploit vulnerabilities!

[mr_mitm]

Yeah, ultimately the goal of infosec is to make itself obsolete. On the one hand, it seems to be working because exploiting things has become more difficult/expensive. On the other hand, cyber attacks seem more rampant than ever, because exploiting things has also become more lucrative. So are the effects of the infosec industry real? Or is it just an arms race?

[bitexploder]

We still find SQL Injection at an alarming rate... but yes, eventually it would be nice to make it nearly impossible to do the wrong thing by default for programmers. That is the dream. Information systems are just too vast and complex for that to be true on any time scale I could predict for you, though, so job security seems pretty good!

[bitexploder]

Yep, memory corruption bugs on a modern OS are really hard, but still possible. That’s why sketchy firms like those that build Pegasus now pay 7 figures for a locked and loaded iOS exploit, which objectively does the same thing mine did a decade or so before. :)

[UK-Al05]

I think it's more like software developers have gotten better, leaving less room from cyber security.

When I first started any idiot could back a web application because nearly all of them had a silly exploits like SQL injection.

[bitexploder]

We all collectively made developers better. Anyway, memory corruption is mostly stopped by the kernels and memory corruption mitigation strategies. Mostly implemented security focused devs and guided by information security research. It’s a yin and yang thing. We find stuff, the community and big organizations research and figure out nee mitigation strategies etc. It is an ecosystem with many loops that have security researchers and bug hunters almost everywhere.

[ghostpepper]

As someone with a C/C++ background considering a move in this direction career-wise, would you still recommend it?

[bitexploder]

It really depends on what you want to do. We hire folks from dev backgrounds all the time and many stick around and enjoy it. If you get pushed into some corporate app sec role where you aren't doing interesting problem solving, I do not recommend it. If you get to really dig into security problems and challenges using engineering and technical skills you have acquired, yes, it is still fun. You get to take apart other people's puzzles (apps/code) and there are tons of opportunities for automation, scripting, writing tools, etc. It is an awesome field to grow in when you have a lot of hard CS and development skills and can apply them meaningfully. That makes things pretty narrow in terms of roles out there that check all of the boxes I mentioned, but, yes, it is still interesting and fun. Look at all the cool things people have done with fuzzing over the last 5-10 years, starting with AFL which really changed the game. Now people do fuzzing with VMs (qemu) etc. Just a ton of really cool stuff that a solid C/C++ dev can really dig into and play with :)

[j0hnyl]

I think the trick to staying happy in cyber security is to chase down niche fields in technology. Your work won't be perceived as sexy by the broader community since you're not tracking north korea, but the trade off is that you will have fun and not have to brush shoulders with so many egos. So what's green these days? That's for you to decide, but one area I think is interesting is smart contract security on blockchains. Lots of folks are pouring into that space.

[l33t233372]

Moving into the blockchain space to avoid brushing shoulders with egos is like living in a pig pen to avoid getting dirty.

[j0hnyl]

Sure there are a lot of egos on the business side of blockchain, but I meant smart contract & protocol auditing.

[toomuchtodo]

> Never be a CISO

Can you share why?

[bitexploder]

Average tenure for a CISO is lowest of any C suite. You will likely take the hit in the event of a security incident and be fired. Tedious work. What to do is often obvious. Getting everyone to do it is the hard part and usually devolves into politics. Thankless job, you can only be wrong once. Just not appealing and CISO is becoming legally sketchy, requiring a lot of diligence out of a CISO to not end up in legal trouble. But if this appeals to you, it can be rewarding stuff, but it is not a great tech role IMO. Or a great management role.

[runjake]

> Average tenure for a CISO is lowest of any C suite. You will likely take the hit in the event of a security incident and be fired.

As far as I can tell, this is the actual purpose of a CISO: being the sacrificial goat when an entity experiences a security event that ends up in the news. I say this without any sarcasm.

[chias]

> As your company's CISO, the most unkind yet accurate adjective people will ever apply to me is "ablative."

For Corey Quinn's fantastic "security awareness training" thread: https://infosec.exchange/@Quinnypig@awscommunity.social/1097...

[red-iron-pine]

At a former job I worked directly under the CISO doing architecture audits.

He described his job as "we shouldn't do this, or this. we probably need money for both, or failing that, implement some really annoying, workflow-impacting changes that will annoy people. so gib mony plz".

inevitably the org would say no to both, so he asked for that in writing and then played the CYA game hard when it went bad.

"a cortisol rollercoaster followed by begging followed by more rollercoaster" was a phrase he used.

[_tk_]

> Average tenure for a CISO is lowest of any C suite.

Do you have any stats to support this statement? I work as a Information Security Officer, other firms have BISOs or other names for this kind of position.

Additionally, a lot of what you are describing is either cliché ("you can only be wrong once"), only true for certain types of businesses or regions. There have been examples where CISOs have experienced legal pain in the US, see Uber's former CISO. But I would not expect companies to see this as an exemplary case.

[bitexploder]

Anecdotal observation.

Articles like this: https://www.forbes.com/sites/forbestechcouncil/2020/02/10/th...

LinkedIn data is pretty reliable, so this is not a difficult thing to study sufficiently.

[bryant]

BISO and CISO are generally not the same. A BISO function tends to be an interface between information security and business units.

[_tk_]

That is certainly true. I was trying to point out that I am indeed not working as a CISO, but as an ISO or a BISO. :)

[greedo]

There's a reason the role is often referred to as the Chief Sacrificial Officer...

[eganist]

From what I've heard from other CISOs:

You own a bunch of unsolvable risk and your head is one of the first to get lopped off if you're popped.

Honestly, the CISO role probably needs a golden parachute and a direct report to the CEO for it to be an appealing path for most anyone who's experienced it at least once. The former to incentivize owning that much risk, the latter to enable the role to drive change.

[int0x2e]

That's insightful, but I still think the assumption that the CISO has to go when the company gets compromised is a bit issue. Instead of security being a team effort, with the goal being making the hard choices together, finding the correct compromises to let the business thrive while being secure - it usually makes the CISO take an adversarial position to anything in their company - since it's always their head if something bad happens....

Amazing CISOs lead security by enabling others to make secure choices that still let them move quickly and deliver value. To do that - they shouldn't always be one hack away from losing their job.

[ownagefool]

The CISO is an odd role because it mostly has to help protect against tech risk without owning tech, and because it's a bit of a crap role, you end up with all sorts of the wrong people and behaviours in the role.

Common Pitfalls:

- Act as a gate that slows everything down, i.e. it must be secure, which in turn makes things less secure, as there's less time on the board to fix things.

- Chase massive budget. Eventually get massive budget. Buy silver bullets that don't fit in techs guns.

- Focus on the non-tech parts. We'll train people not to open cat.jpeg.exe instead if you know, auditing their usage and turning off their kit / login when they're pwned.

With anything, it's all about the people you put in place, but my experience is the average large company CISO sits on a pile of paperwork and IT security whilst their servers aren't patched.

[dangero]

The CISO gets blamed and fired because it’s a language that shareholders understand. You think shareholders are going to understand that the CISO enabled others to make secure choices?

[adrr]

CISOs are starting to report to the board. The biggest challenge is budget. It's hard to put an ROI on a theoretical risk that chances of risk happening are at best an educated guess. Most company leaders don't value detection of breach but only prevention so things like the significant cost of storing network flow logs is an uphill battle.

[TecoAndJix]

I fumbled on an interview once when asked “tell us how a security initiative you led brought value to your organization”. I rambled on about average breach/downtime cost but i couldn’t quantify anything on the spot. In retrospect, I should have focused on manhours saved through prevention system. It’s a hard sell!

[cryptonector]

CISO direct report to CEO can be bad politics.

CISO direct report to CTO can be a conflict of interests for the CTO.

C-suite positions need a golden parachute because they can be career-ending. You don't climb to the C-suite then go back to being an IC or lower-level director.

CISO can be even riskier than other C-suite positions. So CISOs really need golden parachutes. But CISOs almost certainly don't get golden parachutes worth the while -- they are generally seen as less important than CTO, CFO, COO, and CEO.

[_tk_]

If a risk is "unsolvable" it gets accepted as is by the accountable person in the business side of things. They will/should have good reason why they can't solve it.

Plenty of companies keep their security teams + CISO after they get popped.

[hgsgm]

Any Cx0 that has a boss besides the CEO isn't a C at all.

[bryant]

You'd be surprised how often this happens though. I've seen all the following structures:

CISO -> COO -> CEO

CISO -> CIO -> COO -> CEO

CISO -> CSO -> COO -> CEO

CISO -> CLO -> CEO

CISO -> CLO -> CFO (wtf?) -> CEO

And none of:

CISO -> CEO, or even

CISO -> CSO -> CEO

The only one I've seen be extremely effective aside from a direct reporting relationship has been where the role reported up to the CLO (general counsel) and said role reported up to the CEO directly. Reporting up to the CIO or CFO (again wtf?), there were conflict issues at play where the CIO or CFO was obligated to prioritize their main mission. CISO to COO worked fine generally from what I saw, as did CISO to CSO to COO, but it meant the CEO was often shielded from issues where they could impactfully move the needle where needed.

---

The CFO one was at a company owned by private equity, which makes perverse sense when you consider that most business leaders consider infosec to be a pure cost center rather than a business enablement function. Doesn't help that many CISOs historically never ran their shops with business enablement in mind either, which put a lasting dent in infosec's reputation as a function that many emerging leaders are still trying to rehabilitate.

[fegu]

I am a CISO, but transitioning away. It is just plain boring. Lots of admin, reports, reviews, very little actual IT.

[OrvalWintermute]

Normally you are juggling a huge amount of security technical debt, massively under-resourced, the CFO under-funding IT and having no budget for innovation in the first place is part of what caused the problem.

The security world and the compliance world are changing daily, don't track each other, and your compliance drives costs, while security drives incidents.

[IncRnd]

They shared why in the prior two sentences, when saying what they enjoy when not a CISO. "Show up. Hack. Write report."

[toomuchtodo]

I asked for more detail because I’m in a role training under a CISO and rapidly approaching a decisioning point to assume their role. Sorry I didn’t make that clear in my original comment.

[bitexploder]

Anyhow, I think I elaborated in other places. I don't think it is a bad role, but as a tech first, programming first type of person I would never be a CISO. Even as a manager I want to manage interesting technical things and spread knowledge and skills of how to build (secure) interesting technical things to people. CISO and risk management roles everywhere herd cats and don't really get to do that. So you have to keep in mind my perspective. Comp and top end of the risk management and information security management career can be really rewarding, but it is a mostly thankless job trying to get people to do things that no one will ultimately like all that much even if it is the right thing and they know it :)

[gnfargbl]

Well, they don't call it Chief Incident Scapegoat Officer for nothing.