Hoff (and some others) have been talking a lot about hope and the future.
Chris has dedicated most of his recent posts to making us think differently about security. To drop our archaic models of the past and look towards solutions for the future. It’s a noble goal, one I support completely. Dr. Eugene Spafford, a seminal figure in information security, is also dedicating effort to the cause. I’m firmly in their camp and believe that while we don’t need an entirely new model for security, we definitely need to evolve. Information Security has been little more than basic network security and antivirus ever since Code Red and Melissa hit.
But that’s not important right now.
The essential questions are, “will we win?” And “do we make a difference?”
These questions are non-trivial and endemic to the human condition. Anyone, in any occupation, who is invested in what they do will frequently use these questions to position themselves in the world. For some an occupation is merely a way to pass the hours and pay the bills; these automatons contribute to the status quo, but don’t help society evolve. For the rest of us our occupation is an essential component of our identity. We define ourselves by our occupation, and define our occupation as we want to define ourselves.
I’ve worked in public safety my entire adult life, and spent most of my childhood, purposefully or not, preparing for my strange career. Over the years as I worked in different positions throughout public safety, from physical security, to emergency medicine, to information security, I was challenged by difficult questions of conscience.
When I started in emergency medicine, I had to reconcile the thrill of the job with the fact that I achieved professional satisfaction only through the pain and suffering of others. As much as I wanted to try that new procedure, or be on that big call, I had to accept that for me to exercise my skills, someone needed to suffer injury or illness. I reconciled such a potentially twisted mentality by realizing that it wasn’t that I wanted someone else to suffer, but I wanted to do my job and do it well. People will get hurt, sick, and die with or without my involvement; I was a professional and wanted to do the job I was highly trained for. If something was going to happen, I wanted to be the one to be there. As my experience and confidence grew, I also began to believe that the better I was at my job, the less that victim (or the family) would suffer.
Physical security was similar, but involved some slightly more complex mental gymnastics, which every cop and (I expect) soldier experiences. While as a medic you relieve pain and suffering, in physical security you often inflict it. We all loved the rush of breaking up a fight or catching a bad guy. There is an undeniable thrill in being authorized to use physical force on another human being- not a thrill of sadism, but the same emotions evoked by the sports we use to sublimate physical combat. In those cases my goals became to use as little force as possible and de-escalate situations verbally. Violence was not the objective; it was the last tool available to protect others.
I’d like to call it altruism, but the truth is there are visceral thrills and deep satisfaction in managing the challenges of emergency medicine, rescue, and physical security. I learned to accept this motivation without guilt, since the goals of safety and security called for such commitment. When safety and security become excuses to do bad things, that’s when a very bad line is crossed.
But back to security.
In information security we may not be faced by the prospects of blood and guts, but those of us “in the industry” need to accept that we make our money off the pain of others. There’s nothing wrong with this so long as we don’t take advantage of our clients. I’m not just talking about vendors; we in internal security also provide a service to a client. My personal philosophy around this is that I won’t lie or try to frighten just to enhance my own income, but I’ll tell the truth and charge what I think is fair value for my services. I also still perform some volunteer work for those who need the help but can’t afford it.
Security professionals earn our daily bread from fear and pain (sometimes very abstract pain, but pain nonetheless). There’s nothing wrong with that, but it does convey a responsibility not seen in other occupations.
The big question I haven’t addressed, one that underlies pretty much any occupation, is, “Do I make a difference?”
Psychologically I believe all humans fundamentally need to make a difference. It’s hard wired into our brains. If we’re not making a difference, we have only one of a few possible reactions. We can disengage from that activity and find fulfillment in other parts of our lives, or disengage from life completely. As sad as that sounds, we all know people who don’t see the meaning of their life and instead turn to a never-ending trail of distractions. We can also deceive ourselves and create illusions that we matter; I suspect many mountains of bureaucracy have been built on such falsehoods. We can also seek satisfaction elsewhere; actively finding a new job or career.
We can also do the absolute best job possible, fight the good fight, and try to rise above any limiting circumstances.
As a paramedic I may have been the one who saved a few lives and reduced a little suffering, but the reality is that if I hadn’t been there, someone else would have been. In mountain rescue we operate as a team and it’s a group of 40 or so people, not some lone hero, that makes the save. But although I personally wasn’t essential, and the rescue would have happened without me, society depends on collective actions to survive and progress. If no one cares, none of us matter.
We face the same mental and emotional challenges in information security as in physical security, law enforcement, the military, or emergency services. At times we feel helpless- that the business will always ignore us and we’ll never be able to solve even the most obvious of problems.
But that’s not what matters. People smoke, drink, do drugs, eat fatty foods, don’t exercise, drive fast, run red lights, and vote against school budgets. Society still continues, and public servants still work hard and derive immense satisfaction from their work. Sometimes it’s the satisfaction of helping just one person, other times it’s the satisfaction of managing a complex situation with elegance, and sometimes it’s that one action you took that makes a difference on a large scale.
Just because we can’t fix the world doesn’t mean we shouldn’t try. We need to accept human fallibility, understand out own motivations, and do the best job possible. We can’t make all programmers secure coders, but we can educate them to the best of our ability and develop the most effective security controls possible. Home users will always click on things they aren’t supposed to, so we protect them as best we can and don’t blame them for not having a black belt in security-fu. Some vendors will lie, cheat, and steal their way into the market- but we evaluate, use the tools that work, and use market forces as best as possible to pull the others into usefulness. We can’t call everyone stupid who doesn’t believe in our new model or vision for solving security, but we can use those models to help people think differently and perhaps make small improvements.
As corny as it sounds, the future of an information-based society relies on those who secure it. We absolutely matter. We should use the day to day frustrations we all experience as excuses to find better ways to do our jobs.
We’ll never win. The battle started long before computers, and will continue long past any of us. But society perseveres, we always seem to get the job done, and we can derive infinite satisfaction from jobs done to the best of our ability. Individually we only matter to ourselves and a small circle around us, but collectively that circle grows and moves societies.
Maybe. Or maybe I just lived in Boulder a little too long…