Oh boy, I’m excited, I haven’t done one of these in a while!
In my current company, I just switched over from the server operations side to the security side of the business. While I have only been in this position for about two weeks so far, I’ve been doing more meetings and paperwork than I have other work. Is security nothing but paperwork?
This is a good question, because I have heard this a couple of times…and while I wish there was a straight forward answer, but the real answer is it depends. IT Security can be different depending on where you work or what you are doing. For example if you are doing Red Team (penetration testing), there would be more technical work, but there still is the meeting and reporting piece. People who work in Security Operation Center’s tend to not have paperwork (per se), but tend to work on tickets instead.
Like I said, this all depends on the company you work for, small or medium companies may not have all the normal security roles filled. In these places, while you may have a title (like security analyst) but you may fill many other roles that traditionally have separate roles. I’ve seen security analyst who did risk management type of work, since they didn’t have someone to fill that, but the organization needed their Security professional to complete that task.
Now this isn’t something that it just tied to security, but I feel like more people have an expectation of security roles. For example, I was a Systems Administrator in one company and I did almost everything on the network, configured switches, rack and install servers, manage VoIP phone systems,etc. all while friends with the same title at other companies just managed servers, and have teams to rack servers, or a telecom team to manage the VoIP phones. This is something in IT we all need to be cognizant of, what does the role really entail. There is nothing good or bad about these extra roles, but you need to make sure you understand the position before excepting it.
Now from my personal experience, I’ve had a lot more on the meeting, compliance and paperwork side this is something that I don’t mind, as I view this as something that you need to build a successful security program from, but I need people with the expertise to do the scanning and reporting the results, to help me build a successful strategy.
So to answer concisely, understand what security means for your company, and what is expected. If it’s not for you, that doesn’t mean you need to give up on security, maybe look for a position that more matches your needs. If it’s not too overwhelming, doing a multi-faceted security role can help you learn skills without the pressure of having to be excellent at it. When you sole skill is penetration testing, there’s sometimes a little pressure to be good at it. Either way, you need to make the decision for yourself and what’s best for where you want to go in your career.
If you have any questions that you want Jim to answer, from business servers to home computers, drop him a line at email@example.com, and he’ll try to answer your question. Check back every Monday for a new Question and Answer session, and check back Wednesday and Friday for other technical insights.