Wednesday, August 11, 2010

Why You Might Not Want That Cybersecurity Job

Update: I receive occasional inquiries for cybersecurity career advice because of this post. I haven't worked in this field in years, so I recommend you read this advice if you're trying to get a cybersecurity job.


Cybersecurity, while offering lucrative job opportunities, might not be an ultimately rewarding career for Maryland technologists. I worked in this sector for about eight years as a military officer, government civilian, and government contractor in a variety of different roles, and here's what I want to say about it.

Maryland's business press, government officials, and various tech organizations have lately been enthusiastically banging the gong for cybersecurity.  I can appreciate why - there's a lot of money at stake, and a lot of it comes from Maryland's foremost benefactor, the federal government.  This is a recession-proof, guaranteed-to-grow industry, and Maryland is already home to many successful cybersecurity companies like Sourcefire.  The government and private companies employ many thousands of people and contribute many millions of dollars to our tax base.

So it makes sense for our government to be pursuing these opportunities, but does it make sense for you, Maryland hacker?  Here are some things to consider; these are obviously generalizations extrapolated from my experience.  Feel free to leave comments if you feel this is a gross distortion.
  • Cyber defense is often the opposite of a creative activity; in many of these jobs you're going to find yourself acting as an enforcer, a mere gatekeeper.  You'll be telling the creative people in your organization all the things they can't do or aren't allowed to have.  Often you'll be restricting them not because of policy reasons but because it's too hard to figure out how to allow them to do what they want within the regime you are enforcing (Naturally this does not apply if you work for a company that builds the tools the enforcers use) or because it's just easier to say "no".

  • In classified settings, you are severely restricted in the sources and kinds of technologies you use.  You'll be leaving your smartphone and your iPad in your car or in a locker outside the SCIF.  You won't have admin permissions on the machine you're working on.  Forget installing Chrome with the latest extensions, you'll be lucky to get version 2 of Firefox!  Or you might not have access to the Internet at all!  Also, forget about telecommuting or riding your bike to work; your job will be in a well-defended federal facility or an anonymous office park in the suburbs.

  • Because cybersecurity is so tied to "the enterprise", you'll almost certainly be living in Microsoft land, which may or may not be a problem for you.

  • Many of the government organizations in this field are gigantic, top-down, and super-hierarchical. You will made to turn as a soulless cog in a giant machine.  There are plenty of smaller, more enlightened companies out there, of course, but the highest paying jobs will probably be offered by big contractors.
  • The federal government has crazy monopsony power over this sector.  Besides the usual and expected bureaucratic games you'll endure, if you work for a private company that does much business with the government you are going to see some brutally depressing market distortions that arise from this monopsony.  You may find yourself working on a product or a program that nobody in your client agency cares about, or wants to succeed, except that they need to spend up their budget dollars so Congress doesn't take the money away next year.  Or you might find your job in limbo because the sales cycle for getting government contracts is so long, and it can take forever for the company to actually have money in hand.  There's some truth to the myths about the Pentagon spending $10K on toilet seats - it probably does cost about $9950 in sales salaries to sell a $50 toilet seat to the Department of Defense!
I was well-paid as a cybersecurity analyst, and often I did enjoy the work, and parts of it involved amazingly cool, James-Bond-like exploits.  But those are the reasons I ultimately chose to leave. Now I am working on my own startup.  My job is less glamorous (I'm not "saving the world" every day) but because my individual contribution counts thousands of times more in a small company which I own a piece of, and because every second and every dollar counts, it's an infinitely more satisfying way to spend my time.  My labors are simply more meaningful.  So that's what I wanted you to know.

UPDATE 8/16/10: Please check out @NetSecGuy's post where he further elaborates on these issues.

POSTSCRIPT FOR MARYLAND GOVERNMENT AND BUSINESS LEADERS

I applaud you for positioning the state to take advantage of the "cyber doom boom".  I'm sure it will help many of my fellow citizens in the short term.  But I wonder how much wealth you think cybersecurity is ultimately going to create in Maryland, especially if it accrues to big consulting companies like Booz-Allen that aren't even based here.  Also, what's going to happen when this sector matures, when Internet security gets better, and spending declines?  Who's going to fill up those office parks and abandoned SCIFs?

I implore you not to neglect other parts of Maryland's Internet tech economy, because it's product companies like Advertising.com, BillMeLater, Millenial Media, Localist, Ipiqi, Common Curriculum, Figure53, Replyz, Deconstruct Media, and a bunch of others I can't think of right now that are building a new, sustainable post-industrial base in our state.

13 comments:

Jonathan Julian said...

I don't think I have as much government contractor experience as you do, Mike, but in my limited experience, these facts are all too true. And the worse news is that many of our region's big IT employers are more similar to government contracting than they are to product companies!

I've worked at places where these things are the norm: lack of admin rights to your own equipment, not being able to telecommute (for political as well as technical reasons), and working on long, slow, boring, wasteful release cycles. How can we convince the smart folks who feel "stuck" in these positions to get a taste for and contribute to the "new economy" companies?

I'd like to think the first steps for these people could be as follows:

1. get involved with after-hours local user groups and start networking. Join meetup.com. Follow local leaders on twitter. Twitter is not a toy. It's an amazing platform that brings you closer to others.

2. occasionally cowork remotely with others - even if you have to take a vacation day to do it. I know this is a hard sell, but it might be hard to see the value of coworking until you've done it a few times. Even if you're just poking around with new tech.

3. start a side project. There's no better why to flex your skills, and it might just grow into something bigger.

I've never been happier since I left that corporate IT world and started working on smaller, more vibrant projects. Thanks Mike for sharing your thoughts!

id said...

I think this is less about security per se, than general corporate (well, fed gov) vs. startup issues.

I've done a number of security startups now (in enterprise, service provider, and fed gov markets), started my career doing security consulting, and also left security for a bit to do an online video startup.

If you're a security and startup junkie, go do a security startup! I'm always happy to help folks looking to start security companies (msg @dugsong), and for more general startup mojo, be sure to check out @davetroy and Beehive Baltimore (which, incidentally, has some security startups right next door :-)

Kevin Hale said...

I agree with your all of your points. I felt like a human CPU working in IT security for a well known financial firm.

bosconet said...

Lots of good points that in my experience in government security consulting are very true.

One point you forgot to mention is some of these 'cyber security' jobs will almost certainly be Certification and Accreditation positions which are about pushing papers and involve ZERO technical skills.

Mike Subelsky said...

@Jonathan: you said it! I think you're onto something there with the "big IT employers are more similar to government contracting" and that's kind of why I wrote this. I just want more diversity.

@id: yeah, all bets are off when you're talking about a startup, or any kind of product company but that's not what Maryland seems to be gushing about right now.

@Kevin: thanks for reading, glad it resonated with you!

@bosconet: ugh, yeah - and often the technical talent will feel some pressure to get moved into those kinds of management jobs...

bosconet said...

@mike: pressure to move into management positions (people or project) to continue to get salary increases is not exclusive to the government sector.All too often it seems that companies don't want to keep there technical talent as technical if they stay with the company too long.....

Author, Planet Heidi said...

Some of us enjoying saying no to the stupid ideas of the "Creative types"

Furball said...

Mike,

Insightful article, and got me thinking. I'm currently considering a complete career change from an aviation field to "Information Assurance" (Cybersecurity) in the federal government (Air Force). I'm all too familiar to the "cog in the wheel feeling" you speak of. And I'm used to not having admin rights, working in classified vaults, etc.

My question: do you think experience in the federal/corporate cybersecurity world prepared you well for your start-up, or made no difference? My goal is to make my lateral career transition to Information Assurance, spend the next 3 years learning cybersecurity in the Air Force, and then break free from the bureaucracy and start my own company afterwards. What are your thoughts?

Xero said...

There is something attractive about a high paying position with job security. I want one of those. Yeah I might work on something boring, and may have to sell my soul. But at least I can pay my mortgage, right?

Mike Subelsky said...

@Furball - it's hard to say. Are you a uniformed member of the Air Force or a civilian? Certainly I have found the leadership ethos and the work ethic of the military extremely useful in a startup. There's a certain self-starting "roll up your sleeves and get the job done no matter what, don't whine and ask me a bunch of questions" dedication to mission that you get from military service that is optimal for a startup environment.

Always during my military and civilian time working for DOD, I was finding way to write code. I wrote a 6K Perl script at one job (it started out as a 100 line helper then grew out of control, without me ever sitting down to design something good). I definitely got to play with some awesome and interesting technology. So I gained some generically useful programming experience, but it didn't really give me much preparation for building products on the web, except that I'm a bit more wary of getting hacked than maybe the average programmer is, since I know firsthand what a motivated attacker can accomplish.

What really shocked me out of the rut I was in was learning about Ruby and Rails and various open source projects by reading blogs. I stumbled onto Paul Graham's blog and that's where I learned about startup culture. The rest was history.

Not knowing you personally my general advice would be "why not get started now"? Are you going to be more risk-tolerant three years from now? Likely you will be even more used to the steady salary and benefits than you are now.

The last few posts on @Furball - it's hard to say. Are you a uniformed member of the Air Force or a civilian? Certainly I have found the leadership ethos and the work ethic of the military extremely useful in a startup. There's a certain self-starting "roll up your sleeves and get the job done no matter what, don't whine and ask me a bunch of questions" dedication to mission that you get from military service that is optimal for a startup environment.

Always during my military and civilian time working for DOD, I was finding way to write code. I wrote a 6K Perl script at one job (it started out as a 100 line helper then grew out of control, without me ever sitting down to design something good). I definitely got to play with some awesome and interesting technology. So I gained some generically useful programming experience, but it didn't really give me much preparation for building products on the web, except that I'm a bit more wary of getting hacked than maybe the average programmer is, since I know firsthand what a motivated attacker can accomplish.

What really shocked me out of the rut I was in was learning about Ruby and Rails and various open source projects by reading blogs. I stumbled onto Paul Graham's blog and that's where I learned about startup culture. The rest was history.

Not knowing you personally my general advice would be "why not get started now"? Are you going to be more risk-tolerant three years from now? Likely you will be even more used to the steady salary and benefits than you are now.

The last few posts on http://davetroy.com are all about this getting started issue...good luck!

NetSecGuy said...

Great post, I had a few additions. http://packetnexus.com/2010/08/the-government-leads-in-cyber-boring/

Mike Subelsky said...

@NetSecGuy: thanks for writing that, nice to know I am not alone in thinking this stuff! I just updated the original post to link to your follow-up.

Manthan said...

Hi ! I am software engineer and I am planning to do Masters in Cyber Security. (www.umbc.edu/cyber/)
Is it not good to move in this field? Please help me out.