Dear Novice Infosec,
I will probably get criticised for writing this, but dammit, I’m now at a point in my life where I don’t have to care about that any more, so I might as well exercise this freedom for “good”.
Every so often you will encounter some fool trying to “gatekeep” access to the industry — by which they generally mean “cyber” or “pentesting” rather than security engineering, because cyber-types literally live to exclude people — who write something like this:
And then you will subsequently find a rebuttal from some industry greybeard — beards in this industry, especially Unix Beards, are gender-nonspecific and sometimes worn pink or blue and upside-down atop the head; sometimes I wonder if we’re all Terry Pratchett Dwarfs — who will write an inclusive and responsible “yes, dear heart, this is nonsense, you can perfectly well have a career in infosec and still have time for a ‘life’ – clubbing, family, children, mortgages, socialising, tennis…” — and these people are correct.
UNFORTUNATELY, though, my lived experience is that the guy who kicked this thread off is also correct, except for the stuff about cyberpentesterygatekeeperyness. He’s incorrect in that — if you want a long, successful, and highly remunerative career in this industry — you are far better off learning to be a “generalist” and learning how to build, as well as defend, as well as attack, as well as write and communicate clearly.
But yes: the big truth is probably better put as: you will accrue in proportion to your investment, or possibly: you shall reap what you sow.
I am now 53, have been doing paid systems & security development work since I was 20, and I was “hacking” — in the old sense of the word, trying to obtain ANY time on a Unix system of some sort, to explore, to learn to code, to accidentally crash the kernel by failing to close a socket(), etc — for 3+ years before that.
And… I had almost no life outside of this. And that was my choice. And that was okay.
In my late teens I literally printed out (“stolen”) Unix utility and kernel source code and took it home to read. I printed manpages too. In my early 20s, I bought books like “Writing a Unix Device Driver” (1988, for MASSCOMP RTU systems) and printouts — including generations of my own code — piled high in my bedroom. (Which tells you a lot. I still have a bunch of them.) I wrote socket emulation layers for the Amiga, experimental bytecode systems, and eventually I taught myself Lisp by implementing it, and Scheme by (then) failing to implement it. Eventually I started writing password crackers, and related tools, which subsequently got me into political activism for free software and against the censorship of encryption.
It also turns out that being the kind of person who is always in the kitchen at parties, but for a hobby scrounges up machines to experiment with number field sieving, is also how you end up breaking cryptographic challenges and lowering your Erdos number — which achievement can help you win a good job and the respect of fellow nerds, even though you (like I) have zero qualifications or certifications in computing, let alone infosec.
Instead: you end up writing them.
[sidebar: certifications are a scam; but that’s another blogpost.]
But did I have a life? Responsibilities? Maybe. Some relationships which bombed, but then my friends who did have lives were also bombing-out on relationships. But also I have had solid, interesting work for all of my life, and good pay for most of it. I have been fortunate — not privileged, it could all have easily tanked, too — but a lot of that fortune came through hard work at the clear expense of what many of my peers would have called “a life”.
So my advice to you, novice infosec, is this: you do you — that’s all.
You can come into this career as a 9-to-5er and do a bunch of courses and certifications, and you will have a job. You may be well-remunerated, and there may be a opportunity for exposure and advancement. You can do well. It will be fine.
Equally: this may be a vocation for you, and that’s amazing. Welcome. You are not alone. Tell anyone who asks you “Why do you never switch off?” that it’s because you have a chance to go change the world, and then actually go fucking do it. If the other party doesn’t respect that, or wants (true story) you to quit work to tear you away from what you {love, do, enjoy, are good at, get paid for} to start a vegan cafe, consider dumping them sooner than I did.
Don’t let people tell you what hurdles you have to jump over.
Accept that there’s likely a trade-off regards “how much you commit” versus “what rewards you may obtain”.
Do your best to choose a balance which suits you, and take care to watch out for, and avoid, people who would exploit you and your effort without proportionate compensation.
But yes: you do you, and the best of luck to you.
ps: I did work once work out that in the period 1988-1998(ish) that I had probably squeezed an extra 3 to 4 years of “working weeks” into that decade. So in a sense I’m approaching 40 years of “work experience”, which therefore makes it doubly sweet to drop it all now and become a stay-at-home dad. Turns out that it’s not necessary to wholly avoid a life when perhaps instead you can rearrange it for asynchronous serial dispatch.
pps: If you believe that sharing “an extra 3 to 4 years” is somehow bragging, then you’re not getting the point. It’s simply true, and is an aspect of me and what I wanted to achieve. You do you.
Leave a Reply