Evolution of a Security Engineer

Everyone has a story.  For me it started in 2003.  I had been recalled to Active Duty from the Naval Reserve as a Unix Administrator.  I knew nothing of IT or Unix back then, but I did hold the qualities that employers look for - fast learner, on time, driven, etc. 

The short version of my story follows. My orders were up and I would have been going back to working four jobs - bagging groceries, naval reserve weekends, band gigs, and college.  The Air Force Technical Sergeant that I worked for knew I was worthy of much more.  He had a cigarette with another guy on one of my last days.  This man was looking for entry level IT Security people to become intrusion analysts.  I met with him and he asked me what I knew about TCP/IP.  I told him I could spell it, and he told me to go to Barnes and Noble, buy two books about TCP/IP so he knew I was sincere about the position, and I would be hired.  I did obviously.  I put myself on twelve hour nights purposely for the first year and a half so I could read, use the lab, and catch up to the required skillset and the rest is history.  It was pretty much a lucky break, and along the way I've been extremely lucky to have worked with some great mentors and people that have helped me grow quickly, coupled with jobs that make for an outstanding resume, and of course...a little hard work. I've had the luxury of growing up in security, and as such have worked the gamut over the past 11 years.  But enough about me.  What about everyone else? 

I would venture to say that most security administrators are prior server admins.  Most have probably come through the traditional IT ranks - helpdesk to client support, client support to server support, small environments to large enterprises.  Why?  Because our field is still young.  Most are converts from networking, server administration, or were administrators of security tools. 

Either way you came up, we all have new hurdles to overcome!
Because technology is ever-changing, so is the ideal security professional. What was once simply securing the network has moved into host security, requiring more than simply understanding network flow. Not only has the sense of security shifted more toward the host, but also simultaneously has moved away from the host to mobile devices. Add to that cloud technologies, provisioning services, software as a service, and secure code reviews, not to mention all of the existing products that are going through their major and minor versioning. There are some shortcomings that security professionals will be faced with in the near future because of this. Moving to mobile device security and learning cloud technology shouldn't be too hard for most of us. Cloud and security as a service in particular do present new challenges of how to handle service-level agreements that will have to be overcome. Provisioning services prevent new challenges with auditing because they are deployed from an image, hold a write cache while they are running, but tear-down completely when they are logged off. If someone could figure out how to compromise such a system, they would essentially have a live CD to hack with, or so it would seem. Secure code reviews are probably the biggest challenge though. As I said above, most current security professionals came up through the ranks of networking and operating system administration. Most have little to no experience in coding, which means that a new type of security professional is needed, or someone with that niche is needed to fulfill the requirement.