Error

Can you say more about why you recommend not pursuing formal certificates? Does that include even the “best” ones, e.g. from SANS? I’ve been recommending people go for them, because they (presumably) provide a guided way to learn lots of relevant skills, and are a useful proof of skill to prospective employers, even though of course the actual technical and analytic skills are ultimately what matter.

My background: I spent about 6 years building security products in 3 companies (from the point of view of a software developer, mainly. This is different, and in many ways “inferior” to your experience, even if it is longer). Software security is also a very common occupation in my social group (and in my ecosystem (Israel)).

My impression is that almost the entire software industry is busy helping companies put a checkbox that they “have this security feature” and adds little to actual security.

In one “company” I worked for, this wasn’t the situation, it was actually very serious and actually aiming to be incredibly secure, but I prefer not talking about it publicly.

I think that someone like you would be really valuable for a company like Anthropic to get ACTUAL SECURITY rather than hiring some person with lots of credentials. If this domain attracts you (and it is only the culture that you hate), I’d like to encourage you to go ahead and do it right. Perhaps you could even build (or find and join?) a community of people trying to do actual security instead of waving around diplomas.

I have personally had too much of this nonsense and intend to never go working on security stuff again.

I’ve been working as a information security specialist for a year now (doing SOC work, pentests and developing tools to improve the first two) at a major energy producer in Europe. I’ve been a hacker and following what’s going on in this field for some time longer.

I haven’t done consulting but what I’ve heard from colleagues about some consulting companies (even internationally recognized ones) we’ve hired in the past matches what you’ve highlighted—utter disappointment.

Even though I haven’t approached the field from a consulting direction, I’d also recommend instead to start hacking yourself and applying the recommendations highlighted by Hans.

I would like to push back on a couple of things—certification and norms.

There are some certificates that really take a no-bullshit stance and completing them does require extensive knowledge and abilities so seeing that someone has a OSCE certificate shows me that they are capable of doing penetration tests. I’ve heard other experts in the field expressing that certificates aren’t that important for getting a job and what matters more is what you can do and what you are enthusiastic about doing.

Your wording on the usage of norms, I feel, is too broad. I agree that some norms, especially if they are thrown around without specifications or are implemented without background knowledge, are stupid (well explained by LiveOverFlow https://​​youtu.be/​​fKuqYQdqRIs ).

But as you said they can be good source of inspiration and ideas. For example going though the MITRE ATT&CK framework recommendations does force you to think about all the aspects a system can fail and the things highlighted there and in other standards are most often based on lessons learned from experiences where things have gone wrong.

I would also like to add to the Dos list:

• Getting a good understanding of the fundamentals of IT, software development and networking

My experience as a recipient of security consultants’ advice matches what you are saying. The sole result has been paperwork. Admittedly, some of this paperwork has actually been helpful (IT workers are not always very good at writing documentation.) but I still don’t think it was worth the opportunity cost.

This has the ring of truth to it.