A Good Profession
CSOOnline ran a recent article entitled “7 Ways to Stay Happy in a Miserable Profession” which listed items from a Mike Rothman presentation “The Pursuit of Security Happyness.” No doubt the information security profession requires a certain level of mental toughness but I just can’t buy into some of the suggestions made in the article.
Accepting that we can’t win
I’m not sure a defeatist attitude is all that apprpriate for information security professionals. You’ll always run into difficult budgets, management and staff that are trying to buck the system, and a threat from bad guys who communicate better than the good guys. Part of being happy and successful in the information security profession is having passion for what you do. It is up to the information security leader to share that passion, to be the evangelist of information protection, and to “sell” information security by demonstrating how it enables business. The article certainly is right in stating that “YOU define personal success”, however, your attitude goes a long way. Nobody will buy into your security agenda if you start off with a sulk in the corner attitude.
Focus only on what you CAN control
Absolutely. However, you can’t ignore senior management, budget, user stupidity, DBA “dimwits”, office politics and the host of other issues listed in the article that are part of the environment we work in. The security leader needs to shape and influence these areas, not just shrug the shoulders and say “I can’t do anything about it anyway”. We need to excel at the things we control while working to influence behavior and decisions outside the coverage of our umbrella.
Look for NOT normal
Information is essential to successful security programs. The concept of looking for unusual activity isn’t anything new but it is something that isn’t done very well in many organizations. The better you get at looking for the unusual events, the better you get at stopping unauthorized disclosure and data theft.
Communicate the good and the bad
It’s all about setting expectations and Rothman hits the nail on the head with this one. Openness and clarity are fundamental components of a good information security program. It builds credibility with senior management and helps influence decisions when done properly.
Roll with the punches
Good days and bad days are part of the deal in any field, not just this one. Information security is a tough field to play in and if you can’t maintain a professional attitude during the tough times, you’re probably in the wrong field anyway. It’s not about being addicted to controlling what you can’t control as Rothman suggests. It’s about doing the right thing. At the end of the day, that’s what matters if you are intrinsically motivated.
Cover thy behind
Documenting everything is usually a good practice anyway. If you build relationships rather than throwing your arms up in defeat then this simply becomes part of doing business. It’s never personal. It’s providing professional service to the business and keeping track of decisions so that everyone is on the same page. If you can’t operate professionally and find yourself having to CYA on everything you do, it’s time to find a new job anyway.
Know thyself
I’ve never seen a headstone with these word: “If I’d only spent more time at work”. I’m not a believer in the separate work life, home life, play life, school life. It’s all life and it’s yours. Decide what is important to you and maintain a healthy balance.
————————-
The bottom line is information security is a difficult profession that constantly changes but that is what makes it challenging and fun. It’s never going to be filled with glory and the only headlines tend to be negative. The quickest way to make this profession miserable is to become a defeatist and apologist, hunkering down in a corner with an attitude of “I can’t do anything anyway”. You don’t fight cynics and grouches by being cynical and grouchy.
An information security leader and a good information security program becomes fun when it is based around passion, humility, openness, clarity and agility. We don’t need more negative security professionals. Have fun. Share your knowledge and keep trying to influence others to build a positive security culture.
