Security Technicians v. Hackers


@author Randy Gingeleski

@since 03/04/2017

@see career, philosophy


Coming from a software-building background, I get the nuance between “software developer” and “software engineer.”

Software developer = code monkey

Someone else designs and architects the software. Then they break down the coding that’s needed, maybe in a JIRA task.

While the software engineer certainly could do the task, the developer grabs it from the board.

Maybe the dev isn’t even that familiar with the code base. They just need to know enough to do this JIRA task.

And then they write a unit test. Rinse and repeat.

Here’s another relationship that I think is similar. Coach to most football players.

There are some football players who are real artists, they get recognized as stars, everyone knows their name, they’re high-value.

I mean the football players from your high school team where you were like “Frank is on the football team?”

The coach writes the plays, they just tell Frank where to run.

Do you see where we’re going? We’re going to infosec land.

I mean… this is a blog about security.

Software engineer to developer, football coach to most players, true hacker to security technician.

We keep hearing about this huge talent gap for security people that’s coming our way. But I think most of that gap won’t need a lot of talent.

Let me MS Paint you a picture.

Stay with me, treasured reader, let me contextualize this further with an Adrian Lamo quote:

“… To truly excel in information security you have to be able to develop ideas and methods beyond the curriculum presented to you – take what you’re shown and figure out *why* it is, and alternative ways of doing it. Security and hacking are not recipes, they are ways of thinking, unless you want to be relegated to life as a technician rather than an innovator …”

What’s a security tech? Someone whose job is to just help maintain PCI-DSS compliance by checking a bunch of boxes on a pen-test-by-numbers.

That person is a basic shirt from H&M.

What’s a hacker? I’d point at Jerry Gamblin or Tavis Ormandy.

Jerry Gamblin has a strong personal brand, contributing a lot of open-source and being really present on social media. Troy Hunt is another strong brand. They’re like Gucci shirts.

Tavis Ormandy uncovered Cloudbleed and who-knows-how-many other bugs. Super high technical skillz. He’s like a shirt made of gold chainmail.

Both shirt types are going to command high price tags! Maybe 20x the H&M shirt’s.

To be in the upper percentiles of infosec earners, you need to put yourself out there and innovate and move the field forward.

That’s why you should care about the difference between techs and true hackers. Money. 💰💰💰

But… it’s OK if you don’t want to hustle to the top. That’s not a 9-5 thing. How much extra time goes into writing blog posts, doing social media, researching on their own, reading other people’s stuff to stay current? It never stops.

We’re blessed that being in security period means we won’t starve. Lockheed Martin needs people to run HP Fortify scans.