I’m guessing like most of you, the list of Slack accounts scrolls off the bottom of the screen. Yesterday I was scrolling through the list to see if I’d missed anything and there was a message on the Canadian Infosec Slack in which the following was posed:

Hi James. $PERSON said to reach out to you = For advice and shiz – I’m a pentester. And at the cross roads of focusing on web app or network. – And I’m just reaching out for people’s opinions

My immediate response was pretty simple:

Hrm. That’s actually a hard problem. There’s a number of things to think through.

Gave it a few more thoughts and came up with the following ideas:

  1. Web Apps aren’t likely going away (ever), but that space is fairly crowded between testers and both static and dynamic analysis. There are two sorts of jobs here, very commoditized (think PCI) and extremely weird/high-end (the stuff that Leviathan Security does). If you’re not careful, you end up in the former and start smacking your face on the wall forever.
  2. Even with the magic of Cloud, there’s always networking and server platforms underneath. The real thing to pay attention to in this space though is next gen networking (SDN, IPv6) and the as-yet-unseen problems in this space.
  3. And on the third hand, we’ve spent so long generating specialists in the Infosec space that we’ve created a situation that looks like a Venn Diagram of skills – except NONE of the circles overlap each other. Those spaces in between are where problems happen and where there are currently very few generalists who can step in and work those problems.

A bigger question is “what do you want to be doing in the next 5+ years” — what’s your career goal as you settle into your mid-40s. Do you want to work operations or consulting? Do you want to be an executive or a manager? Where do you want to work (you’ll run out of runway in Canada really quick – I haven’t really worked here in 5 years and I live here.)

Ultimately, in terms of both near term and longer term HR planning, I’m hiring more “3” and less “1”.

I sat there for a few minutes and realized that I have certainly talked a lot on the topic. As I assembled the list, I didn’t realize quite how much time I’ve spent on the topic. Rather than leave the list buried on an obscure Slack, I thought I’d share it here with you. (Interestingly, I appear to talk about this stuff nearly once a year. In 2013 and 2015, there are probably panel sessions that I don’t have recordings of.) Just watch the videos – I’ve talked career advice to death over and over again:

  1. The Last HOPE: From a Black Hat to a Black Suit (2008)
  2. SecTor 2008: Security Heretic: We’re Doing It Wrong (2008)
  3. Notacon 6: BlackHat to a BlackSuit: Econopocalypse Now (2009)
  4. The Next HOPE: The Black Suit Plan Isn’t Working – Now What?(2010)
  5. Notacon 8: I’ll Take “Myrcurial” for $100(2011)
  6. Derbycon 3: Doubt, Deceit, Deficiency & Decency – A Decade of Disillusionment (2012)
  7. SecTor 2012: BlackHat to Black Suit (The George Lucas Specialized Edition) (terrible audio) (2012)
  8. SecTor 2013: Crossing the line; career building in the IT security industry (panel) (2013)
  9. Derbycon 4: The Road to Compliancy Success ++ (2014)

Yeah, there’s about 8 hours of material there. You’re not going to get the 8 hours back. I’m sorry.

EDIT PS: And I completely forgot about the research papers that we did at $dayjob including one that goes into exactly what kind of employment picture awaits us all… “Analysis of Cloud vs. Local Storage: Capabilities, Opportunities, Challenges” [PDF] — digging deep into the talent scarcity problem.

EDIT PPS: Was reminded of the panel keynote at SecTor 2013, added to the above list. Listen to more than just my viewpoint.

EDIT PPPS: Was reminded by @synackpse that there’s yet another version of the Blackhat to Black Suit talk

Image CreativeCommons from neetalparekh on Flickr


  1. Our company is having the hardest time finding qualified well-rounded IT technicians. In particular, we have struggled to identify candidates that have communication skills to interface with our users. I was wondering if you would ever recommend training in business architecture for new job applicants. I had recently taken a course on developing soft skills for IT using a training method in business architecture from the Business Architecture Center of Excellence. I would recommend to anyone in tech looking for jobs, that there certainly are jobs available in all areas—app dev and hardware. What I am having trouble finding are people that have the tech AND softer skills (writing and conversational skills) to relate to our customers.

  2. Totally letting you get away with the link in the comment because the rest of your comment is really good.

    Folks, listen to what Adam is saying — up your social skills game.

    And if I can get enough of you interested, I’ll run the full 8 hour version of The Message and The Messenger workshop at a bsides/ish event near you.

Leave a Reply

Your email address will not be published. Required fields are marked *