Doom, Gloom, and Infosec

Monday, February 06, 2012

Dave Shackleford


I’m perennially happy. I am almost always in a pretty good mood, despite my inherent sarcasm and less-than-politically-correct approach.

But I get the impression that many in infosec are not. Everyone is different, and I don’t want to stereotype, but I do run into a lot of gloomy folks.

Why is the infosec profession so unhappy in general? I closed out the IANS forum in Chicago recently (which ROCKED, by the way, just too much awesomeness in CHI to contain), and Ron Ritchie made some comments that I thought were pretty spot-on in his closing thoughts.

He mentioned a few good reasons to be in infosec, and I’ll list some below, including his:

Reasons infosec rocks:

  • Money is good! (Ron)
  • We have tons of interesting things to work on! (Ron)
  • We bring real value to our organizations! (Ron)
  • We can actually detect and prevent crime in some cases!
  • We have one hell of a solid career path, in general!

I’m sure this all sounds good. High-fives all around! Hmmm. Wait. We’ve still got that “Sad Panda” problem. So there are surely some negative aspects to infosec as well.

What are they?

Based on my experience as a practitioner, consultant, trainer, and general curmudgeon (albeit a pretty jolly one), a few things I can think of:

Reasons infosec sucks:

  • People ignore us, hate us, or perceive us as roadblocks. Or all three.
  • Infosec never seems to be “done”, ever. Always an ongoing endeavor.
  • The landscape in infosec changes so rapidly it’s difficult to keep up.
  • Overall, infosec is “hard”.
  • Related to the first point in this list, we may feel “at odds” with business units and IT organizations.
  • There’s a general sense of “futility” – we can’t “win”.
  • Our career paths are wack – do we really have any respect?

Surely I’m missing things here, likely both good and bad. However, being the “glass half full” kind of cat that I am, I am inclined to think the list of “things that rock” far outweighs the list of things that suck.

Seriously! What are we so worked up about? Lots of jobs are much drearier than most of ours. And people make the best of them, get the paycheck, and go have a life outside of work.

I won’t even try to speak for everyone here, that’s crazy, but I see a lot of people internalizing their positions and the issues they see in their jobs, when they should really be trying hard to leave that stuff at the office. Infosec is not a calling.

There, I said it. It’s not. It’s not a crusade. It’s not the end of the world if a security control fails, or an employee gets phished, or you lose some data. Sure, it SUCKS and all, but deal with the stress of the moment and move on! Life is short.

Enjoy the good aspects, deal with the bad, and most of all, get some hobbies that do not involve a computer, security, or anything else related to infosec. I love this field with all my heart, but I recognize that this is not sustainable.

So…why are folks so burnt out? What am I missing here?

Cross-posted from ShackF00

Possibly Related Articles:
Information Security
Enterprise Security Careers Information Technology Information Security Infosec Professional Dave Shackleford Ron Ritchie
Post Rating I Like this!
Rose Morrell Interested in your take on this - boundless optimism and enthusiasm for infosec quashed by involuntary restructure putting me in a generalist risk team. Management banned talking about having too much work, talking about doing too many extra hours to get work done (because we shouldn't be), continually took on more work and reported all services as green, blaming individuals on the team publicly when flagged risks became issues due to under-resourcing. Not in London and have a young family otherwise could have taken any number of opportunities to get out. Another job cut round just announced. Hard to keep a brave face, but respect you're talking generally.
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.