Reply to the comment "how I fell for cybersecurity"

In this small post I would like to shed some light on the comment frommoooVand the industry as a whole.



Just want to clarify a couple of important points:



  • fasting is not intended to offend someone or to condemn someone's choice, as well as to inflate holivar, demagoguery, etc. etc. ;
  • the post does not carry any calls for the choice of anything;
  • why a post and not a comment? and that's why "You can comment on publications that are not older than 30 days ..". In general, I read the rules and decided that it would be fine.


So, after reading the commentary, one gets the feeling that, in the general sense, a security person is a kind of pretzel far from IT, with a watchman's syndrome it is quite possible that a cattle . Perhaps this is the case, in many sharazhkin offices, but there are other cases, which I will talk about a little later, but for now I would like to make out a couple of points from the commentary.



1.

I also thought I would be a pentester, a system programmer, a networker, and in general Mr.Robot. In fact, everything technical is only self-study and not otherwise.
there are quite a few universities with such a "dry" approach. In general, there are so many places and in almost any specialty, with the exception of "very professional" (and even then not always!), And all that is useful in work is "just self-study and nothing else." And in general, the quality of universities in the Russian Federation in the IT direction is very deplorable, training comes down to reading off a course of materials, somehow pulling students' grades by the ears, issuing an IT diploma and a weighty stump in the back and sending a bright IT future to the labor exchange ... Therefore, (this is especially important now, it is doubly relevant if you are a future entrant fit for military service) it would be or would not be very stupid to familiarize yourself with the training program in the specialty where you are going to go, and then draw conclusions "whether it is necessary" ...

2.

What does this education look like? Well, a mixture of management with jurisprudence and the watchman's syndrome - and this knowledge is not applicable anywhere except Russia, and if there is a goal to move abroad, it is a waste of time.

about "move abroad". Well, I would not draw conclusions so unequivocally, I had a chance to work in one company in MSC, where a security officer worked for 3 years, being a June, worked abroad and wrote the same tons and megatons of papers, only according to ISO. Only there, in contrast to our companies, it was the responsibility of the IS specialist not only to roll the paper, but also to monitor its actual execution and compliance. So, being sensible, you can easily wander into this, what is it, Europe.

3.

- . ( ) , , β€” , β€” .
This applies to everything, well, almost everything. In order not to go far, I will give another example, at one time I studied in the direction of "technical design", in general, I must become a designer, by the 3rd year I picked up my tails in such important design subjects as "philosophy", "political science", memology cultural studies and stuff like that, then I transferred to another faculty and there I already chose another specialty. About a fifth of the group work as designers, the rest of the hard work threw into testing, programming, Big-Data analytics, writing, sales, etc. And that's how it works, yes. A person always learns everything himself, learns what pulls, and a diploma is, in principle, a formality, a piece of paper that makes it clear that you have seen some shit without which TYPE cannot break through in life.

4.

The rest - yes, they work in the field of information security. What are they doing? They write pieces of paper. Tons. Megatons. It has almost nothing to do with IT.

who what. I've seen and wrote such pieces of paper for 80k a month, working in a nearby castle. It suited me, as if you sit, for 2/3 days you don't do anything, 1/3 you write, you get money. Someone likes it. My comrade then, secretly from his office, helped others to pass an IS audit, advised someone else on information security, in fact, he simply profited from other people 's paranoia suckers - he installed all sorts of disconnectors on phones, looked for bugs, put plugs from UAVs and the like. -nya.

five.

. , . β€” , , . ( ) β€” . β€” .
this plot of the legend is applicable to most vacancies and specialties. My friend sat in some kind of technical department, in some kind of enterprise for the production of roller shutters and garage doors, also being deep 0 in all this. But his daddy's friend BOSS came and said, β€œSo nah, this guy , my friend’s son, came here to study design and practice in those. documentation and our products. You will help him, for example ... ”and that's it. The kid somehow left for 3 years, then went somewhere in the sale.



In general, when a person is an ordinary middle-level man who is a goof, then for such information security it will start and end immediately exactly at the place where the fstack waste paper, guests, iso, politicians, etc. If a person has the desire and zeal, you can always add a higher level of information security theory to your knowledge - penetration testing, development, networks, etc. - thereby reaching a new level. And just in general, work in information security is built in different ways everywhere. The most popular interpretations of those that I have personally seen are the following - an IBshnik is mainly engaged in paperwork, politicians, and his "hands" are enikei, who install different software, customize it, etc. and a Swiss, and a reaper, and a gamer ", fumbles for the technical stuffing, knows how in firewalls, is able to roll out anti-virus software policies,fumbles for cryptography in its many forms, and so on and so on.



The bezopasnik auditor is an important figure of bifidobacterium from the IT world (or maybe not IT, xs), the habitat of JSCs, LLCs, NGOs and other "O" times of Tsar Pea, who are subjected to bureaucratic violence from inspection bodies and others. At one time, such people curbed a mountain of documents the size of Andromeda, learned all the rationing, and as a result of the nightmarish synthesis of Consultant + and FSTEC, theorists came to light. Their purpose is pieces of paper, documents, acts, reports. Their weapon is knowledge of line spacing in documents and GOST numbers. And finally, he proudly hangs out at the top of this food chain - a security person who knows the technical aspect of the issue, who knows not at the level of "but right now, updating to the Kaspersky pumping", at the serious one. As a rule, we are talking about narrower specialists. I saw this once, a former network engineer.



I've read the comments under the posts about information security and was given a marvel. People have a strange understanding of vacancies in IT. Someone really thinks that the university owes something to someone ... "I say that I was so magical and smart that I went to college, but I was NOT taught." Once again, when people go to study, if they do, it would not be a big deal to ask - and what they will teach. And it turns out that Vasya Pupkin went to study as a system administrator, programmer, designer, tester, security officer, etc., but he was not taught that way, while Vasya himself put a whole 0 effort into this. Narrow demanded specialties are not taught at lectures.



A separate moment - People ask "But should I go?" For all of you who ask this question, the answer is No. You will not make a good security officer, no programmer, no administrator, and no one) When a person asks such questions, it only says that there is no motivational core, he is being led, and does not want to sincerely. And all these IT specialties require iron patience, endurance, diligence and perceptiveness, all this will usually go away quickly, at the very first difficulties, if you initially did not know what you were doing. It is also not worth looking at some particular cases and drawing conclusions about the profession, someone wanted and could, but someone thought that they would bring everything in a wave and ended up on the ass. Once again, nothing is given just like that, no one will teach anything anywhere,all who have achieved something a little bit are kind of fanatics of their business, their work, their hobby. Such and the institute is not needed.



Probably there should be some kind of ending, but I'm so tired of writing that the conclusions about who he should be and whether it is worthwhile to meddle not only in information security, but in IT as a whole - everyone will do it himself!



"

Having turned the book over, wind it around your mustache - all the works are good,

choose

the taste!"

V.V. Mayakovsky.



All Articles