Thursday, August 13, 2009

what's the point?

I was asked some philosophical questions today in an interview, about what the point is of Information Security, and why I do that instead of something else. The questions were general enough that I don't feel it's unethical to talk about them here, so I'm going to expound on them a bit.

First of all, why am I in Infosec? I sort of "fell into" the profession, unlike a lot of people who have perhaps more technical backgrounds. It's not that I don't have a technical background at all -- I knew how to spell TCP/IP before I got into Infosec -- but most of what I know about networking and systems was learned on the job, not something I knew before I started. There will probably always be gaps in my knowledge because of this, and it can be pretty frustrating to be confronted with those gaps.

But on the other hand, one of the things I love about Infosec is that NOBODY knows everything. There is always more to know. There are people who are looked up to, but the true Information Security professional never feels that it's possible to be an expert. There is no one tried and true way to effect security; there is theory and there is practice and there is hard work. There is guessing, and hunches, and aha! moments. There is the triumph when you have defeated a problem, and there is the sick, sweaty panicky feeling when you know that there is a problem but not exactly what it is or how to fix it.

And that is what I love about Infosec, and why I do it. It's a sea of chaos out of which I can do my best to make some order. It is a never-ending source from which I can drink knowledge. It's the frontier, and I love to explore it, even if I occasionally get eaten by a tiger.

And that's the thing; we are in fact going to be eaten by tigers. Because the only truly effective way to secure a system is to disallow it from BEING a system -- to cut off all access to it -- there can never be any assumption of security. There will be breaches and leaks. However, that knowledge is no reason to stop trying to secure systems and networks. I lock my car doors when I walk away, even though I know that a determined thief can break in. I want to make it hard for him to break in, and once he does, I want to make it very difficult for him to get away with my goods. It's a battle that I may not always win, but if there is a point to doing business at all, there is a reason to try to secure the means of doing that business. And after you have done everything you can think of to secure the systems and network, you never assume you have succeeded; you continue to check, you monitor, you look for the little things, you keep on pushing, because the tigers are hungry.

There are other things I like to do. In fact, I probably spend too much time doing some of them. But over and over, Information Security engages my passion, and seems to me to be something worth doing. And that is why I do it.

No comments:

Post a Comment