Job security in security?

I used to think that there was job security in working in security. It's never going away, right? Wrong. I know a whole crowd of highly experienced, highly qualified security folks, some of whom are coming up on 18 months without a job. I also see people clinging on, white-knuckled, to jobs they hate because they cannot see any other opportunities for themselves. This isn't a new COVID problem.

Let's start with security guards. (No, I'm not going to refer to them as 'asset protection professionals' or any other bullshit. They're guards. You can call a tail a leg but that doesn't make it a 5 legged dog.) You should already know my opinion on guarding as a dead-end job with a very low ceiling. But as a job, does it have longevity? A security officer can lose their job on a site through a wide variety of reasons. They can be 'off-sited' because the client dislikes them, regardless of how effective they are. They can be TUPE'd over to a company that wouldn't have hired them in the first place, and find themselves gradually reduced in hours or opportunity. They can upset their site or account manager by trying to get educated and doing things better. They can get injured on the job in a range of ways. If they make management level, their company could be bought by a larger firm and they might find themselves surplus to requirements. There's little security in a security guarding job unless you are happy to just show up and shut up forever.

It's no brighter in infosec and cyber. I used to think that it was, but they have the same organisational problems, if not worse. If a physical site gets burgled, it's embarrassing. If an organisation gets a data breach, it's a damn sight more expensive than that. The average contract life expectancy of a CISO around the world is regularly stated as 18 months. You land a new CISO gig and either fight to do things properly, fail and get fired or you shut up and take the money, fail and get fired. Burnout is also a very real problem in cyber and infosec.

I have friends who are pen-testers. Sounds glamourous but many of them want out. The next time you hear someone bleating on about the alleged 'cyber skills shortage' ask them why we aren't retaining the talent we've already got? Being a pen-tester is like being a Hollywood actress. Next year there will be someone younger, prettier, thinner and cheaper coming along for your job. (That's a misquote of Julia Roberts before all the lunatics come after me). Spending day after day doing the same things on the same tools for organisations that don't care can become a huge weight to carry, and a lot of them that I know are looking to get into infosec from cyber. (Infosec is the strategic management, risk and governance end of security, for clarity. The cyber guys do the IT stuff.)

Organisations do not want security. They want compliance. I happen to know of an organisation that has had multiple large fines for multiple data breaches over the last few years, and (get this) these assholes furloughed their security team at a time when cybercriminals are running rampant and having secure networks is essential with a remote workforce. It doesn't do a lot for any security practitioner who cares about what they do and wants it to mean something.

You only need to monitor the jobs market to see how bad things are. Job descriptions are getting ridiculous, asking for the Earth (5 years experience and all certs for an 'entry-level job', for example.) Most ads convince me that the hiring firm are NOT somewhere anyone who cares about security should be working. Poor cultures, broken risk architecture, weak management and leadership. Most jobs appear to be a box-tick. Even if we are successful, they often won't let us do the job properly.

So, what to do? We can all sit around, wringing our hands and waiting for that perfect job opportunity that will respect us, utilise our skills and give us meaningful work to do for the long-term. And starve in the meantime.

Or we can seize our futures by the throat and go after the work we want for ourselves. Our primary loyalty in our working life has to be to ourselves. We can choose what we get paid and when. We can even choose our clients, in some respects. When you are self-employed, every day can be payday. It's not easier, but it's a lot more rewarding, and you are in charge of your own destiny. Do you ever wonder why your employers ignore you and then hire a consultant to tell them what you've been telling them for months? They listen to consultants (more often than not). Why not become one? A recession is widely believed to be a great time to start a business, and in some cases it's essential. Stop waiting for the world to recognise you. Recognise yourself and stand up.

Here's a link to my Security Consultant Masterclass if you are thinking of owning your own career. ￡127 to learn how to make a business out of your security knowledge. What to charge, how to charge, how to market and how to build your projects and products. It's all here.

https://securitydoctor.thinkific.com/courses/security-consultant-masterclass