I’ve been in the security business a long time. I have enjoyed up cycles through the peaks, and back down the slope to the inevitable troughs. One of my observations getting back from RSAC 2011 is the level of sheer frustration on the part of many security professionals today. Frustration with management, frustration with users, frustration with vendors. Basically lots of folks are burnt out and mad at the world. Maybe it’s just the folks who show up at RSA, but I doubt it. This seems to be true across the industry.
A rather blunt tweet from 0ph3lia sums up the way lots of you feel:
Every day I’m filled with RAGE at this f***ing industry & the fact that I work in it. Maybe I’m just not cut out for the security industry.
This is a manifestation of many things. Tight budgets for a few years. The ongoing skills gap. Idiotic users and management. Lying vendors. All contribute to real job dissatisfaction on broad scale.
So do you just give up? Get a job at Starbucks or in a more general IT role? Leave the big company and go to a smaller one, or vice versa? Is the grass going to be greener somewhere else? Only you can answer that question. But many folks got into this business over the past 5 years because security offered assured employment. And they were right. There are tons of opportunities, but at a significant cost.
I joke that security is Bizarro World, where a good day is when nothing happens. You are never thanked for stopping the attack, but instead vilified when some wingnut leaves their laptop in a coffee shop or clicks on some obvious phish. You don’t control much of anything, have limited empowerment, and are still expected to protect everything that needs to be protected. For many folks, going to work is like lying on a bed of nails for 10-12 hours a day.
So basically to be successful in security you need an attitude adjustment. Shack had a good riff on this yesterday. You can’t own the behaviors of the schmucks who work for your company. Not and stay sane. Sure, you may be blamed when something bad happens, but you have to separate blame from responsibility. If you do your best, you should sleep well.
If you can’t sleep or are grumpy because security gets no love and you get blame for user stupidity; or because you have to get a new job every 2-3 years; or for any of the million other reasons you may hate doing security; then it’s okay to give up. Your folks and/or your kids will still love you. Promise.
I gave up being a marketing guy because I hated it. That’s right, I said it. I gave up. After my last marketing gig ended, I was done. Finito. No amount of money was worth coming home and snapping at my family because of a dickhead sales guy, failed lead generation campaign, or ethically suspect behavior from a competitor. My life is too short to do something I hate. So is yours.
So do some soul searching. If security is no good for you, get out. Do something else. Change is good. Stagnation and anger are not.
-Mike
Photo credits: “happiness is a warm gun” originally uploaded by badjonni
Domo Arigato
My gratitude knows no bounds regarding winning the “Most Entertaining Security Blog” award at the Social Security Blogger Awards last week. Really. Truly. Honestly. I’ve got to thank the Boss because she’ll kick my ass if I don’t mention her first every time. Then I need to thank Rich and Adrian (and our extended contributor family) who put up with my nonsense every day. But most of all, I need to thank you. Every time you come up to me at a show and tell me you read my stuff (and actually like it), it means everything to me.
I’m always telling you that I know how lucky I am. And it’s times like these, and getting awards like this, that make it real for me. So thanks again and I’ll only promise that I’ll keep writing as long as you keep reading.
-Mike
Incite 4 U
- Marketecture does not solve security problems: That was my tweet regarding Cisco’s new marketecture SecureX. The good news is that Cisco has nailed the issues – namely the proliferation of mobile devices and the requisite re-architecting of networks to address the onslaught of bandwidth-hogging video traffic. This will fundamentally alter how we provide ingress and egress, and that will require change in our network security architectures. But what we don’t need is more PowerPoints of products in the pipeline, due at some point in the future. And that’s not even adressing the likelihood of data tagging actually working at scale. If Cisco had delivered on any of their other grand marketecture schemes (all of which looked great on paper), I’d have a little more patience, but they haven’t. Maybe Gillis and Co. have taken some kind of execution pill and will get something done. But until then I wouldn’t be budgeting for much. Is there a SKU for a marketecture? Cisco will probably have it first. – MR
- You can’t secure a dead horse: Well, technically you can secure an actual deceased horse, but you know what I mean. Microsoft is getting ready to release Service Pack 1 for Windows 7, but nearly all organizations I talk with still rely on Windows XP to some degree. You know, the last operating system Microsoft produced before the Trustworthy Computing Initiative. The one that’s effectively impossible to secure. No matter what we do, we can’t possibly expect to secure something that was never built for our current threat environment. We’re hitting the point where the risks clearly outweigh the non-security related justifications. FWIW, my new favorite saying is: “If you are more worried about the security risks of cloud computing and iOS devices than using XP in your environment, you need to re-examine your priorities.” – RM
- Real. Investigative. Journalist. Brian Krebs has balls. Why? Because how many of you, after having received threats, would travel to the city where people may actually look to do you harm? Anybody? But that’s exactly what he did. If you have not read the story, Brian’s recent blog post reads like an old school Len Deighton novel: Russian Cops Crash Pill Pushers Party. Fascinating look at the the natural blend of electronic and physical crime, spies, dirty tricks, and good old fashioned capitalism. – AL
- CISO is not a firewall jockey: One of the ideas I tried to make clear in the Pragmatic CSO is the need for senior security folks to focus more on business than on technical skills. If you want more validation, look no further than the dean of CSO recruiters, Lee Kushner. In this NetworkWorld interview, he pinpoints some skills you need to make it to the next level. Like technical chops, but within the context of business. Business, communication, and leadership skills are also a must. But only if you want the CISO job. There are lots of jobs in security for folks who don’t want to spend more time persuading, cajoling, managing drama, and fending off finance and audit. And it’s okay to pursue those other jobs. Really. You folks will still love you, even if you stay on the technical track. – MR
- Yelling “Fire!” is a crime: I can never tell if other analysts are serious about what they write or if they are just trying to stir the pot. Mike Gualltieri’s post on Want Better Quality? Fire Your QA Team is one such example. His concept has merit: fire QA and make developers responsible. This can work, but there is a significant lag before developers “get it” and figure out how to write test cases. Or learn the art of ‘coverage’, test cases, regression, and feature testing. More often they just get pissed off and leave for a new employer. We have QA because the natural friction between the two groups provides checks and balances between shipping code quickly and delivering a quality product. I don’t advocate firing QA – there are far more productive ways to incentivize developers and QA engineers to the same end, without the serious risk and destabilization. Read the post: it’s food for thought, but I would not take this seriously. Again, it makes you wonder how much practical experience some of these folks have. – AL
- Defend naked: John Strand proposes one of the coolest security thought models I’ve seen anyone talk about in a while. How would you defend your network without a firewall, AV, or current patches? It’s an insanely awesome way to think about things, because all those controls can be bypassed. Better yet, subtract a few other “essential” controls and think about how you might still defend your network. This isn’t something I suggest you actually do to your systems, but it’s a very useful thought exercise for modeling security. – RM
Reader interactions
2 Replies to “Incite 2/23/2011: Giving up”
I agree with Chris that security folks are struggling with demonstrating value, but I think there is another dimension too. In good times, the money flowed to security and we didn’t really have to justify the investment we were making.
Now, we are struggling with business issues, having to justify our risk compared to other business risk, and we are seeing business more willing to accept certain security risks. This leads many of the binary thinkers in security to conclude that their business “doesn’t get it”, that the industry can’t solve problems (as evidenced by the fact that they can’t get funding to buy more gizmos, so the gizmos must be at fault) and that their world is gone to pot.
It is necessary and will be good. we need to wring out those who think you are either secure or not and replace them with folks who really do “get it”.
Hi Mike. In my opinion, a portion of the frustration to those in the “security” profession is related to the usefulness of the output of their work. I am not saying that the actual work is bad. But how their work factors into information that is meaningful and actionable from an IT risk management perspective is the point of frustration.
If I [mis]use the Gartner Hype Cycle as a lens to view this frustration through – I think that this frustration is in the “trough of disillusionment” portion of the cycle. While our profession’s current capabilities will continue to mature, the output of our efforts needs to be more meaningful and actionable to management and business leaders – and realized via actual IT risk management (the “slope of enlightenment” portion of the Gartner Hype Cycle). I am not convinced that all security professionals that have been in this game for longer then 10 years truly want to up their game and either contribute to making more sense of all this security information let alone find value in how their job(s) factor into risk management. Regardless, when the output of our efforts – no matter how mundane they may be – is deemed to be of value, contributes towards effective decision making – and being told it is of value should be enough to keep most people happy.