It's of varying importance depending on what field of security you're talking about, but generally it's the chasm that separates entry-level security folks from the rest.
Using systems administration as an analog, there exists a class of sysadmins who can't write even basic scripts. Their ability to troubleshoot or problem solve are limited to using predefined tools. Whole categories of tasks will be infeasible for them to accomplish (mostly because of the amount of time it would take to do them manually, not necessarily because they are technically impossible).
Lacking the ability to do any programming limits their job prospects to the bottom of the sysadmin barrel. That being said, programming isn't necessarily a prerequisite for their job, it's just a ceiling.
Going back to security, most tasks benefit from the ability to automate some part of them. I come from application security, where that frequently manifests in having to quickly piece together tools for interfacing with a specific protocol or API. Application consulting exacerbates that even more, because you'll usually have to do all of this in a very short amount of time, so that you can spend the allotted assessment time actually doing the assessment, and not trying to get your tools to work with the environment.
I can't narrow it down to one (it's like trying to pick a favorite binary message format), but the best I can do:
A Single Man - Christopher Isherwood. A beautifully somber story of a gay man dealing with loss in the 60's. When I read it as a kid, it helped deal with the sense of alienation I was feeling during my adolescence. Also the movie a few years back (while ending fairly different from the book), was awesome.
The Big Sleep - Chandler. Literary people all seem to prefer Hammett to Chandler, but for my money there's never been better prose written before or since. "Dead men are heavier than broken hearts" and "I never saw any of them again - except the cops. No way has yet been invented to say goodbye to them." are two of my favorite sentences of all time.
Before Night Falls - Reinaldo Arenas. It's technically an autobiography, but I read it as a novel. More alienation (this time in 1970's Cuba), but written amazingly well (even the English translation).
Dear Mr. Henshaw - Beverly Cleary. I'm not embarrassed to list a kids book as one of my favorite novels (considering how many people on here I'm sure loved Harry Potter). It's a story about a kid who's dad left him, and it's written as a series of one-sided letters to an author (the titular Mr. Henshaw). I re-read it about twice a year (it's a short book).
I've been using Haskell at work for the past two years, but despite the fact that it's been a great investment, I don't really like articles like this.
I find evangelism gross, and in particular, developer technology evangelism especially distasteful.
That said, I take issue with the objectiveness of your points. For the first one, there are indeed quite a few successful systems written in Haskell (I suppose I might be quibbling with your definition of "successful"). Facebook is using Haskell for a few things internally (including their rule engine for fraud/spam processing), Standard Charter is using Haskell. In fact, here's a whole site of people using Haskell in industry (https://wiki.haskell.org/Haskell_in_industry)
I do think that it's only recently that you're starting to see projects/products built with Haskell that aren't libraries. Just this week there's been a bunch of web frameworks released (Airship and Spock, with Silk releasing a REST API framework a couple of months ago).
I'd like to see more projects that people can use that don't have to care about the fact that the software is written in Haskell (databases and data analytics systems are a particular area I'd like to see become less Java-focused).
Your second point on mutable state seems counter to a lot of the current conventional wisdom of the past five years, which is that immutability is vastly preferred to mutability. This is becoming true in Javascript (with React and Underscore), has always been true in Clojure, and is becoming more and more important in any system that deals with concurrency.
You can certainly disagree that mutable state is the root of all evil, or even the most important problem with modern development; but I don't think it's accurate to paint Haskell as being the weirdo fringe language that's advocating immutability is the way to go. They have a lot of company on that front, they've just been making the point for a lot longer than most.
Your third point seems like you just completely made it up. Do you have evidence that Haskell programmers are "usually smarter than Java programmers"?, or that they are somehow inordinately picky about what projects they work on? Do you know many professional developers who work in Haskell?
It's true that the population of Java programmers is probably an order of magnitude larger than Haskell programmers (the number of universities who still teach Java for their introductory CS classes would probably guarantee that's the case), but contrary to what message board lore would have you believe, Haskell isn't some magical "smart person" language.
I'm an idiot and I haven't had any trouble using it full-time. I don't use it for crazy math stuff, or advanced computer-science research. I use it to process events, interact with databases, and display CRUD operations (like probably 80% of most enterprise-y software development).
Haskell's design flaws, while certainly existent, don't seem appreciably above or below any other language (I'm trying not to be smug, I actually think Haskell is much better designed than most any other language). I can happily attest that the record field scoping has not actually been an issue (although maybe I've just been lucky, and there's actually a bunch of other idioms for dealing with the scoping issue like lenses).
Lots of other people have suggested Neruda, which makes me happy, because he's fantastic.
I think my favorite poem is probably "Under Milk Wood", by Dylan Thomas (folks have posted some of his other work, which sheepishly I don't really like). I love this poem so much that even hearing it in a VW ad didn't diminish it. It's quite long, but the beginning is my favorite part:
To begin at the beginning:
It is Spring, moonless night in the small town, starless and bible-
black, the cobblestreets silent and the hunched, courters'-and-
rabbits' wood limping invisible down to the sloeblack, slow, black,
crowblack, fishingboat-bobbing sea.
The houses are blind as moles (though moles see fine to-night in the
snouting, velvet dingles) or blind as Captain Cat there in the muffled
middle by the pump and the town clock, the shops in mourning, the
Welfare Hall in widows' weeds. And all the people of the lulled and
dumbfound town are sleeping now.
Hush, the babies are sleeping, the farmers, the fishers, the tradesmen
and pensioners, cobbler, schoolteacher, postman and publican, the
undertaker and the fancy woman, drunkard, dressmaker, preacher, \
policeman, the webfoot cocklewomen and the tidy wives. Young girls lie
bedded soft or glide in their dreams, with rings and trousseaux,
bridesmaided by glow-worms down the aisles of the organplaying wood.
The boys are dreaming wicked or of the bucking ranches of the night and
the jollyrogered sea. And the anthracite statues of the horses sleep in
the fields, and the cows in the byres, and the dogs in the wet-nosed
yards; and the cats nap in the slant corners or lope sly, streaking and
needling, on the one cloud of the roofs.
You can hear the dew falling, and the hushed town breathing.
Only your eyes are unclosed to see the black and folded town fast, and slow, asleep.
And you alone can hear the invisible starfall, the darkest-before- dawn
minutely dewgrazed stir of the black, dab-filled sea where the
Arethusa, the Curlew and the Skylark, Zanzibar, Rhiannon, the Rover,
the Cormorant, and the Star of Wales tilt and ride.
Listen. It is night moving in the streets, the processional salt slow
musical wind in Coronation Street and Cockle Row, it is the grass
growing on Llareggub Hill, dewfall, starfall, the sleep of birds in
Milk Wood.
Listen. It is night in the chill, squat chapel, hymning in bonnet and
brooch and bombazine black, butterfly choker and bootlace bow, coughing
like nannygoats, suckling mintoes, fortywinking hallelujah; night in
the four-ale, quiet as a domino; in Ocky Milkman's lofts like a mouse
with gloves; in Dai Bread's bakery flying like black flour.
It is to-night in Donkey Street, trotting silent, with seaweed on its
hooves, along the cockled cobbles, past curtained fernpot, text and
trinket, harmonium, holy dresser, watercolours done by hand, china dog
and rosy tin teacaddy. It is night neddying among the snuggeries of
babies.
For years I've tried to figure out good advice to this question, but I've never been able to successfully articulate it. Here's attempt++.
There's two things that would be helpful to know before providing advice, and they might not be things that you even know the answer to yet; but it's worth considering.
First, what are your reasons for being interested in security. Is it because it's a good job market? Or because you think it sounds cool? Or, god forbid because you think of it as a higher calling? There's nothing inherently good or bad about any of those three choices (except people who believe the third one I find unbelievably tedious to be around), but it definitely effects what advice I'd give. I'm going to assume it's the second one (based on the way you worded your question).
Secondly, security is an ever-expanding field, and in particular, the domain knowledge for each piece of it is starting to take up all available volume in any person's individual skill-bag.
At the risk of somewhat oversimplifying, you can pretty much carve out a full and successful career in infosec in any of the four fields: network security, application security, incident response, general-purpose security practitioner.
Each of those requires skills that are very different than the other 3, and each can be a totally fulfilling choice to make (most of us have wound up in a specific specialty and probably don't enjoy working in one of the other 3, but don't let my or anyone else's distaste for one of them sway you).
Network security is what it sounds like. It's basically the people who do penetration tests. At the bottom end of that field, it's the people who click "run" on a Nessus scan. At the higher end, it's the people who come up with interesting research around protocol vulnerabilities and exploits. Like any field, the vast majority of people aren't at the high end. Without passing judgement, Network security was the first piece of infosec to start to become commoditized, thereby making it probably the least desirable from a financial perspective. This isn't true at the high end, but then again, it's never true at the high end.
It's probably where the majority of people start out, regardless of where they end up. You can thank the mid-90's era of terrible system security and compliance audit requirements for that.
Application security is probably the most applicable for people who have a development background (although again, at the higher end of network security, you are writing code, and exploiting other people's code). It started as a field in pretty much the late 90's. My company saw the writing on the wall that network security was going to become more and more commoditized and we shifted our focus to application security. For most of my career, that has predominantly been web application security. Other places do work on "native-applications", embedded systems, etc. It really depends on the firm. Application security has become more and more important as more and more of people's lives have shifted to include doing things online. Again, not trying to make a value judgement (although as someone who has worked mostly in AppSec, I'm definitely biased), but it's where I would place my bets for at least the foreseeable future career-relavence wise.
Incident Response has only really come into the limelight the past 5 or 6 years. It's been a thing since the 80's, but it was mostly ignored while people tried to convince themselves that they could build secure systems that would actually keep attackers out. The thinking around that has started to change (although in some cases just as an excuse by security people to absolve themselves of responsibility for doing a shitty job). Incident Response will probably never go away, because it's sort of the existential reality of doing business with machines that have to trust one another. Currently, it also commands the highest premium money-wise (but those halcyon days won't last forever).
Incident Response tends to attract the most "higher calling" people, so be careful about that. People who enjoy it will try to sell it to you as being "detective work", tracking down intruders, gathering evidence, and keeping them out of your systems. People also describe tiny, rat-infested NYC apartments as being "homey fixer-uppers".
Incident Response is usually the highest stress of any infosec job (although that, like everything else I've said will vary from place to place). It's the field most likely to wake you up at 3 am on a Friday morning and make you head to the airport on no notice to go help someone whose network is currently being lit on fire by undergrads at a research university for some foreign country. Some people enjoy that pressure, and the reactive nature of the work (you never know where you'll be going from day to day).
Lastly is "general-purpose security practitioner". This role is almost exclusively someone who work in the security group at a company who has nothing to do with security. You might think that it's a combination of all the other roles (the Bards of infosec), and while that can be slightly true, it's more the people who have to deal with all the non-technical parts of security. Security within a company is mostly concerned with compliance, audits, and policies. That's the stuff that the general-purpose security practitioner works on. As part of that, they might occasionally run a Nessus scan, or set up an application in WebInspect (or be woken up at 3am when an incident occurs), but they will spend the majority of their day reading and writing word documents, and having meetings with the marketing team trying to get them to stop using Dropbox to send all their sensitive corporate documents back and forth.
There's other variables too, like whether you work as a consultant, or work for a security product company; but in general if you work in Infosec, you'll be doing some combination of these four things. I haven't said anything about cryptography, because really there's very little overlap between the crypto industry and the infosec industry (to both of their detriment, I suspect).
I actually think anyone in Infosec would probably benefit from spending time in all of those roles, not just to get a better sense for them, but also to help challenge their assumptions. I also think security people can benefit greatly from going between being a consultant (where you potentially help lots of companies very little) and working internal to a company (where you potentially help one company very much).
So my advice is figure out which of those things sounds the most interesting and start down that path.
I don't really recommend doing CTF's unless you like doing CTF's (they have almost nothing to do with anything you'd actually be doing in the field).
And don't get a CISSP unless you opt to work in the general-purpose security practitioner field (even then, only do it if you have to). It's actually a negative hiring signal at almost any place you'd actually want to work.
I work in security incident response and I can say this is all quite accurate. Though usually the 3 AM call just involves a quick drive rather than a plane trip, unless you work for a MSSP.
I worked for the "multinational" for two years after the acquisition and I'm curious about NSA's evil influence too. Tell us more, Zigurd? Seriously: just a theory about what could have been happening would be great.
RSA isn't in remotely the same space as Matasano, nor would it be "one of the largest" if it were in that space.
As I rock back and forth in my chair, silently repeat the serenity prayer, and try to remain charitable; what sort of work do you think Matasano (or NCC, Accuvant, or VerizonBusiness, my former employer) does?
