Well,
it has been a while since my last post. Around eight years where as any reader
can imagine the IT industry has evolved beyond imagination. Or maybe it doesn’t,
what do you think? What its true is that it has been 11 years since I did my
first post. That’s around 27% of my career (who knows) so, I have learnt a few
things since that day. If you are around the forties most probably you are in
the top of your career, maybe not in terms of salary or functional hierarchy,
but yes in terms of productivity, brainpower, that is, capacity to deliver. On
the other hand, if you are in your late twenties or the beginning of the
thirties, you are most probably still growing my friend, putting in practice
all that knowledge you did gather in the University, Master program or what you
did study. If you are in your fifties and you are an IT engineer, this post may
be also of interest for you.
When
I started my professional career I already knew what Artificial Intelligence
(AI) is, actually I did code a funny Brisca program that I trained
against myself and some friends. Bayesian networks and other fancy-AI-terms were
already in my backpack, same for the data analytics (we called it data mining)
or the bioinformatics. These fourth industrial revolution -things- were born many
years ago, although they did evolve as the computers did since that time. In my
internship (2006) I did a pentest based in OSTMM methodology and yes, 13 years
later the methodology is still perfectly valid. Nmap is still a swiss knife and
Nessus is as handy as always. Actually, most of the recommended security tools
that exist today were common also 10 years ago. Just a fast comparison from the
sectools website using archive.org :
Rank
|
|
|
1
|
Nessus
|
Wireshark
|
2
|
Wireshark
|
Metasploit
|
3
|
Snort
|
Nessus
|
4
|
Netcat
|
Aircrack
|
5
|
Metasploit
|
Snort
|
6
|
Hping2
|
Cain & Abel
|
7
|
Kismet
|
Kali
|
8
|
TCPDump
|
Netcat
|
9
|
Cain & Abel
|
TCPDump
|
10
|
John the Ripper
|
John the Ripper
|
You
could argue that this is just a list from just a website, that is true. It’s
difficult to support any statement only with this, what I can support is my
feeling that not many things have changed since I started my professional
career. In spite of that, every year I have this feeling of being a little bit
more unplugged from the IT day-to-day. Nobody can be Mr. know-it-all
(maybe only our brother-in-law), neither can I. Those that studied or study Computer
Science knew from the very beginning that this was a different career, that we
were going to get used to study, to have IT news every other day. And yes, even
we couldn’t imagine that that was going to be absolutely right! I myself study in
a “regular year” between 60 and 100 hours (not taking into account blogs
reading, magazines or news), the number of hours is different depending on the
employer, how much do you love IT and how much free time do you have. Don’t get
me wrong, I love computer science and I keep excited whenever I try a new
technology, even buying a new computer (and I have been lucking enough to have
a few). But the raising question is, are 100 hours enough to keep yourself
plugged with the reality? Well, as Consultant the answer is easy: It depends.
There
are many career paths in IT, lets put it simple (pardon): You work in
operations, admin stuff, patching and maintenance. You are impacted by change
in cycles of 5-7 years, that depends on the technology where you are specialized.
Every year there will be updates, new functionalities, more things to do with
the same technology but I guess that the pace of change is something that you can
handle in that training time. Most probably if you started coding in Java 10
years ago you still can do it and have a good sleeping every night without the
worry that a disrupting language programming is coming to left you without job
tomorrow (if you don’t think so, try to talk with a Cobol developer or a
Mainframe admin). Same IT background, many different jobs, many different specialization
branches. From my side I’ve been in the IT Security Consultant and IT Audit
fields, so I did put security controls in place in any kind of project or I do
review that the controls that are supposed to be in place are there. As a
profession related with Trust or, using a more accurate term, “reasonable assurance”,
you may face a much more diverse scenario in your day-to-day (please note that
this a very high-level opinion, any job could be different and for sure I am
wrong in many cases). You verify that the process, system, machine, “thing”
will work as it is supposed to do and the bad guys will not sabotage it, jeopardizing
business objectives. So, there is no
limit in what an IT auditor may audit, all the IT processes are in scope. When
you are a Security Consultant something similar may happen, there is no system
in production or under development that you may not be invited to review.
Furthermore, there are new threats, new regulations, new IT processes or new
technologies (I take for granted that people change also xd). If you look at
the picture depending on the day you may feel excited or not so happy but hey, everything
is not bad, we still have our 100 hours per year, and we work around
1700
hours each year. That’s a 6% of your time or the budget of your employer depending
on the case.
Once
upon a time I was a Computer Science student, that meant that in five years I
had to approve 365 credits (3650 hours). After such a big effort, I became an
engineer. If I, we, keep the studying pace as professionals, we will get a second
Computer Science degree in 36 years (though maybe somebody will be thinking
about retirement at that moment). Well, there is a small error in my
hypothesis, working time is also learning time. When you join a new project you
take your time to review carefully the documentation, to understand what this
project is about, to prepare yourself and to learn. You may even buy books in
relation with the subject, have interviews with the experts and become yourself
“a new expert” in a few weeks so you can
provide the expected reasonable assurance.
Is
this enough? Well, it should be. It’s you and your professional judgement who
should decide if it’s enough or not (if not, raise your hand and warn your boss
please). There will be some projects where, the harsher it is, the bigger the unrest
you will have. Here is the Engineer's Conundrum, cause you are a
professional, besides you love tech so, why not? Why not studying a little bit
more, even in your personal life? But wait a minute, you are already doing your
40 hours per week, you have family & friends to attend, most probably you
are gaining weight in your comfortable seat and you need also to come back to
sports. After all you are around your forties. So, is this a real Conundrum? Remember
the most famous security sentence: There is no 100% security. Oh now yes,
everything is fine. If something happens you can say that and everybody will
understand. Go play & enjoy the good life, you engineer.
I
have my answer, you also should look for your answer. I write with some rhetoric
just to relieve any burden to the reader. You know how good do you work, do you?
Just to give you a clue I think it is not about how many hours do you study
every year, it is not about how fast the technology, regulation or threats
evolve, but about how do you challenge your work, your ideas, yourself. It’s
good to do peer review, to attend those conferences where you talk with your
colleagues, read books (many if possible) and take the temperature to the
profession you did choose. No news, isn’t it? After all of that, what is your
gut telling you? Here you have the answer.
I
started this blog in 2008, I was excited to share everything that I learnt at
that time in my job but also to share my own personal research. Sharing always
gave me more than I got (I could write a very long post explaining why), and my
gut just told me that it was a good moment to come back. Information
Technologies are not the panacea anymore, the silver bullet to the world
problems, actually many people look at IT as the source of their problems
(specially those that were always unplugged or that lost or are about to lose their
jobs). Misinformation and noise-data are also in every corner so, I decided to
come back hoping that I can bring some light into this chaos. But I am not that
altruist, I also hope that I can improve myself in this process, put in
practice the hard-skills and why not, discuss with others these thoughts so
somebody can challenge me.
Stay
tuned.