Working in the field of cybersecurity can be extremely rewarding. A security practitioner’s job, at its heart, is to protect people and organizations from bad guys. Even though it’s a technical field, security offers the opportunity for a lot of creativity: Penetration testers devise clever ways to breach clients’ organizations; security vendors and architects build new tools to help practitioners find, analyze, and stop “bad”; and security awareness training is a continual process of developing innovative ways to teach end users the benefits of improved security practices.
With the good, though, comes the bad. Security is a very stressful job. Many teams are understaffed and underfunded; executives and boards of directors now know more about the business of security than ever before and are therefore asking better of the security team without a clear understanding of what “better is”; and there is a constant, nagging feeling among most infosec practitioners that they have to be “always on,” 24x7. Because threats can come from anywhere, at any time, and defenders must protect the entire enterprise while adversaries need only discover one, tiny vulnerability, there’s no rest for the weary. Burnout rates among security practitioners are high, and many practitioners operate with a persistent feeling that no matter what we do, breaches will occur, vulnerabilities will abound, and ready-to-use exploits will be sold on the black market for mere pennies against our hundreds of thousands in defenses.
Making matters worse (if you’re not already depressed from reading the first two paragraphs), the security echo chamber is huge. It’s hard to read a social media thread or attend an industry conference without hearing how others are also feeling overwhelmed or underappreciated. Unfortunately, this groupthink only serves to propel the negativity forward. If you are looking for a way out of security, then by all means, explore other career options. If, however, you’re hooked on helping others and finding solutions to the trickiest problems, read on and resolve to edit your thinking in the New Year.
Change your mind, change your life
Every New Year brings people’s resolutions for improvement: lose weight, get in shape, have a better process for managing finances, take that long-awaited vacation. Some people vow to get a new job. If you’re feeling security burnout, this might seem like a good solution. If your place of employment is, in fact, the problem, finding a company more suited to your needs could do the trick. In many cases, though, restlessness and disappointment at not making more progress in security will follow you no matter where you work. Unless you change your thinking. Can satisfaction in your career be as easy as emulating Peter Pan (i.e., “Think happy thoughts”)? Believe it or not, it’s a good place to start.
If you’re in a negative mindset but ready to bust out of the echo chamber of hopelessness and stress that seem to follow security like a bad shadow, you can begin to change your perspective simply by focusing on the positives of having a career in security.
Diana Kelley, Cybersecurity Field CTO at Microsoft, offers these insights drawn from her ~30-year cybersecurity career as part of vendor organizations, an industry analyst, and a practitioner. She uses the ever-changing nature of technology to help combat burnout. “If you can't find something new [in security] to learn to keep yourself engaged,” she says, “you may be in the wrong field.” Kelley’s role as a security thought leader has her traveling across the globe to “meet with and learn from some of the very smartest thinkers, researchers, and practitioners.” This keeps her energized despite long hours and an abundance of air miles. If you don’t have the opportunity to meet new people and experience new environments continually, she recommends trying your hand at learning a new skill: “Are you an expert on IoCs and threat hunting? How about securing the SDLC and automated testing? Ever lead a pen test?” If not, stretch your capabilities by taking a class, reading a book, or working with a mentor to learn about new tools and techniques.
Rafał Łoś, Managing Director at Optiv, also thinks continuous learning is one of the keys to job satisfaction. “I’m lucky enough,” he says, “to work in a company that allows me the opportunity to continuously challenge myself and jump into interesting and mentally challenging projects.”Acquiring new skills that keep your mind fresh and feed your quest for knowledge stimulates positive thinking, which in turn will make you happier—both at your job and in your personal life. Remember the feeling of receiving a gold star in grade school when you completed an assignment? Teaching yourself new skills—whether you’re required to or not—is giving yourself a gold star, allowing yourself to feel good about doing something positive for yourself and the security community.
Don’t conform to the norm
Security burnout also stems from the constant negativity that surrounds the industry. Though it’s easy to fall into the trap that says negativity is inherent in security (e.g., “Breaches will continue no matter what we do”), some of the defeatist attitude is self-inflicted. In the end, a pessimistic attitude hurts mostly ourselves. To turn it around, Kelley reminds practitioners to “not talk down to people or be dismissive. That just shuts off their minds and hearts. Everyone is human; employees don’t click on malicious phishing links on purpose. It doesn’t help to call them stupid.” Our attitudes are often reflected back to us; the kinder and more accessible you are to others, the more they’ll want to help, creating a more favorable work environment.
{tweetme}Security burnout also stems from the constant negativity that surrounds the industry. http://bit.ly/2CEzOY1 @InfoSec_World #InfoSecInsider{/tweetme}
For his part, Łoś says he avoids the echo chamber by focusing on the creative aspects of his job, which include defining, designing, prototyping, and launching new ideas, products, and services. “When your job is to invent, prototype, and test in real-life,” he says, “it forces you outside of your comfort zone, out of the ivory tower of your own arrogance, and really challenges you to learn.” When you find yourself slipping into a negative mindset, challenge yourself to test a new idea, examine a problem from a different angle, or ask a non-security colleague’s perspective on an issue (hint: IT and operations staff are excellent helpers if you let them be). Even if this isn’t written into your job requirements, doing so will break the cycle of negative thinking and actually help you become a more successful security practitioner.
Keep it light
Kevin Johnson, Founder and CEO of Secure Ideas, a security consultancy with a focus on penetration testing and awareness training, says he combats the security doldrums by “focusing on the things we get right and where we help specific people and organizations.” Penetration tests are meant to help clients find then fix vulnerabilities. Inevitably, though, some percentage of clients will use the findings report only to prove to auditors that the company has completed its due diligence, or to allow the executive team to sign off on the risks. If you focus on the negative, says Johnson, it’s inevitable that you’ll become negative too. Concentrating on the instances when customers really did take advice to heart and make changes allows Johnson and his team to remain motivated.
Johnson also makes a dedicated effort to “spread out unique or interesting jobs as they come in.” When this type of work is booked, he says, “I try to spread it amongst the consultants. I also try to ensure that my team get to play in spaces they are interested in.” Whilst he can’t safeguard against repeat engagements at all times, Johnson tries to mix it up and keep it fun and engaging for his team.
Łoś agrees that a big part of avoiding burnout is keeping things light whenever possible. He says that his teams, “work hard to ensure there is a reasonable balance between personal and professional lives. This goes beyond just taking time away from email and work calls—to actually have social time, like playing ping-pong with office mates, between stressful meetings.”
To ensure stress doesn’t build too high, even when topics are tense, Łoś says the focus is always on the team, “meaning: make sure that no one feels like they’re out on their own with a difficult or ‘unicorn’ task that gives them a singular opportunity to fail, alone.” So often security professionals feel like they’re the sole voice in the room saying “no” or “slow down” to the business. Knowing you have support when you are in a tough position or working on an extra challenging project is critical to keeping spirits up. Be the person that provides that type of support to colleagues, and you’ll see a return on your “investment” when you’re the one in need.
Give back to get more
In addition to creating a stimulating environment for his employees, Johnson is a big believer in giving back to the community. Secure Ideas offers free services to charities and free training to veterans. Johnson says it’s incredibly motivating and rewarding to see people learn and grow because of time spent. Not all companies have the ability to offer assistance in this way, but any individual can spend off-work hours volunteering by teaching cybersecurity skills to youth or underprivileged populations. Watching others grow can be extremely rewarding and invigorating (perhaps more so than “helping” the executive who paid boatloads of money for that pen test but who’s just going to file the results).
Resolve to revitalize
Though there is no one-size-fits-all for finding or rediscovering your passion for security, it’s fairly easy to tweak your thinking and actions and reject the echo chamber that says security practitioners must be curmudgeonly misanthropes (though you’d never know it by reading Twitter). Outside of work, too, find hobbies that have nothing to do with security but feed your soul. Maybe you love hiking or cooking or playing Boggle—it really doesn’t matter. Do things and connect with people that expand your worldview and you’ll be both happier and more productive at your job. In this New Year, resolve to revitalize what first drew you to security, and use that passion to drive security and your personal satisfaction higher.
Diana and Kevin will be presenting on ransomware and privacy, respectively, at InfoSec World 2018, being held March 19-21, 2018 in Orlando, FL.