I see a lot of discussion at hacker cons or security cons depending on your predilection that says something to the effect “I’m burned out and drink to much.” The information security community has a hidden underbelly that hangs over it’s collective belt and expresses itself in a rich gothic tradition of black t-shirts and unkempt beards. Yeah, that would be a bit of a misogynist perspective. Woe to me and all who follow me into the breach of data and information sources. People are about the suck and have forgot they are awesome.
Screw that crap.
People lie, vendors lie, and companies lie, and you should get over it. If you entered the information assurance and security field quit arguing over whether it is cyber or not. Your job is to overcome obstacles, create opportunity, and secure the information assets you have been given dominion over. Your job is going to be difficult, filled with conundrums and competing requirements, and your bosses are going to have zero clue about what you are doing. You can not change others but you can realize YOU ARE FREAKING AWESOME.
Now, don’t get a swelled head. All of that bellyaching, I exist in the rawness of the counter culture, and look at me and my week long unwashed vendor t-shirt is just making your day a little sillier. Government says you are not a professional. Every academic discipline wants to claim your gig, but isn’t willing to actually talk about what it takes to get it done. Land grant universities (the big state tech schools) talk a good game, but it is a rarity that they dirty their hands with the do rather than theory. You could always clamber over to some for profit vendor like SANS and waste your time on tools and techniques absent theory but at $5K a course and a $1K for the exam can you say… $ouch?
In the immortal words of Rodney Dangerfield, “Look at me… I can’t get no respect.”
It ain’t about you but you are who you are. Sure you can hack all the things, and the world of the bits and bytes is your oyster. After all you are FREAKING AWESOME. Inside of that little piece of you are doubts, and you wonder why the dances at all the SecCons are sausage fests, and why did that dweeb in accounting just become the CIO, and how come you are getting grayer, fatter, and older and who is that new kid in the computer center messing with your favorite BASH script? Burn out is not a problem. It is an opportunity. There are all these people out there that will throw psychological bull puckey at you and tell you about normalization and chronic versus acute stress indicators. Screw it. Did you become an uber super duper FREAKING AWESOME security guru by listening to that pablum? Stuff sucks. Get over it. Dare I say hack happiness.
You got that super duper freaking awesome security job because you think outside of the box. You got that super freaking duper awesome security job because you are willing to push the boundaries of technology. It is time to overcome, adapt, adjust, and innovate your way out of the funk of security job malaise. We are not going to say silly things like “Boy you think you have a problem? Look at that chick over there who is all like downtrodden and stuff.” Those kinds of false comparisons are sick, sadistic and stupid. Just because somebody else’s life sucks more than yours doesn’t make it right for either one of you. I call that an opportunity.
When the stupidity of a job rises to the point of choking you like the fetid sewers of a third world country you have some choices. You can drown yourself in booze and act all machismo and shit, you can start swimming and living with the stink, or you can drag your ass out of the freaking sewer. You are doing a job because you are an awesome problem solver and can think outside the box. Do it. I give you permission to THINK. It is time to admit a few things. You chose to be there, you chose the line of work, and you choose every day to keep working. Opportunity comes with responsibility.
Recent reports suggest that if you working in an average company you are seeing at least 10K security alerts a day. You are swamped. That is the nature of the job. That is what the job is about. It is normal. We stress about normal activities when there are competing requirements, but we don’t have to own those external requirements. Much like the coal miner showing up for work everyday there will always be coal to shovel into the hopper. Unlike the coal miner we take the job home with us. We take it personally when somebody shovels coal faster than us. We get all up in arms about the quality of the shovel and the density of the coal on the shovel as if that really matters. We are not ever going to be able to do it all. We have to acknowledge that up front. We just want to do the right stuff.
Companies will abuse you and use you only to throw you in the trash. Some of the worst companies for treating information technology and security staffs are the ones with silly ideals like work life balance. With 50 to 1 or higher ratios of users to the entire information technology support mechanism if it sucks in the data center it will make little impact on the “golly gee Wally survey.” Companies have and will always look to keep wages in the basement. Companies have and will always look to increase profit, decrease costs, and if you are a juicy line item you get squeezed. Name the job a white collar job and put that sucker on salary. Give them a 60 hour work week and burn them like firewood. Companies have outsourced the education costs, trimmed their budgets, set hiring goals for younger workers, infected the universities with the concept of unpaid internships, and argued for foreign workers at the cost of domestic workers. When we take responsibility for ourselves we can better hold others responsible.
Think about this. Three decades ago companies took a person in with a high school education, trained them for sometimes years, and that person worked from apprentice, to journeyman, to master tradesman. This wasn’t just in your daddy’s machine shop. This was how nuclear power engineers, and early computer programmers were indoctrinated into their careers. Since then companies have made students pay for their entire education and complain if after hire training takes a few weeks or months, “The university isn’t doing it’s job we have to train people 3 months before they are profitable.” After all of that companies and government have gotten on the bandwagon of “hiring” unpaid interns for months and months of on the job training. Then companies complain the interns aren’t up to being productive. You are paying by cash, sweat, and effort for your entire education and that is an expensive tool suite. Own that knowledge. YOU ARE AWESOME.
Own the job, own who you are and remember to take care of yourself first. The whole concept of team work is an ideal imposed by companies on workers to better control and create a better environment for profit. I am not against profit but I am against the particular manifestation I see in some companies of exploitative behavior. The nature of the information security task is particularly troubling. It is not in the best interests of companies to hire women (OMFG they might get pregnant!) or older workers who are wiser, often more expensive, and willing to tell some arrogant prick in accounting to DIAF. I have watched a company fire all the developers who had kids. I watched another company fire only the married security people. Consider the concept of the following story:
Stan is a mechanical engineer. He works for ABC corporation. His wife decides she wants to live closer to relatives and he talks with his boss about it. After a few months Stan finds a job and he gives his boss a months notice. Stan finishes his time closing some projects, and they have a big party sending Stan on his way.
Stan is a professional and his job is all about producing product A and then product B and moving down an assembly line of projects. His job has discrete components. Compare that to Dave.
Dave is a information security specialist. He works for ABC corporation. His wife decides she wants to live closer to relatives and Dave talks with his boss about it. Dave’s boss the CISO is notified that Dave is a security risk and extra logging is applied to his domain account. A few weeks later Dave is approached and reprimanded because he has unauthorized web activity after spending time on LinkedIn and Monster. Dave finally gives a months notice and all of his accounts are closed on the spot and he is walked out the door.
Dave isn’t an apocryphal story. It is pretty much how I was treated at a company. It is pretty much how many of the worker bee’s in the information technology and security community are treated. It doesn’t have to be that way. We just have to accept it for what it is and go with that knowledge. Acceptance is part of knowledge. Acceptance of the negative functions does not make it right, but what it does do is empower us to evaluate and plan accordingly. When we know what to expect and accept that negative it no longer is an issue we need stress over. Understand, make sure you hear this, acceptance is not of the wrongness or illegality, but it is of the situation. I can accept the Tech Taliban exists that doesn’t make it right.
The job of securing a networked information asset from unknown adversaries is nearly impossible. The math is not in your favor. The entire community of peers all think they can do it better than you without really understanding what your day-to-day looks like. I laugh when I see some teeny bopper popping off on a major corporation who screwed up and missed a security alert leading to a breach. Said teen can’t manage to dress himself and the largest data asset he has ever managed is a download of Kali Linux which makes him feel FREAKING AWESOME. I still get a tingle when I walk the floor of a large company. That sense of awe in a mature data center that is multiple buildings and multiple floors in those buildings is special to people like us. To be honest I miss that most about security operations.
One last negative. Users. They are simply the best thing put on earth. If we take responsibility and ownership for our careers and jobs shouldn’t the user? Absolutely. I expect the accountant with the penchant for Hello Kitty Porn to be the best damn accountant in history. That silly gilded vice president with the Happy Pony addiction should be the best executive ever. It is not my job to judge. I give that up to others. In fact when I run data enterprises I get all up in peoples faces and totalitarian if people refer to the users as (L)users. I reflect back on a conversation I had with a mechanic decades ago. He told me that he likes the new cars with all the new fangled gadgets. People no longer work on their cars and screw them up. He pointed to a silly price list that said “If I work on it first $25 hour, If you work on it first $50 an hour.” Users are the reason I have a job and no accountant, lawyer, bankster, or doctor should be as smart as I am at information security. Letting others BE AWESOME at what they do is better than trying to force them to be something they aren’t. This penchant for pushing security to the edge instead of building around it is a huge issue that collectively we have not abandoned for the absurdity of the idea. I implore you to BE AWESOME at what you do and don’t expect others to even know you exist.
“Hey Sam, what about those pricks over in audit/scan/vuln analysis/forensics/security/budget?” When I consult to companies that are having issues on separating company functions or aligning team efforts I see this type of discussion. Everybody should be doing their own job, and not the job of others. I have found literally guru security engineers writing admin bash scripts. I’m not paying some dude $85 an hour to write scripts to load this months user updates. Why wasn’t the admin doing it? Because, the security guy had been doing it since he started 20 years ago. We build some of our issues into our stress because we don’t empower others around us to do their own jobs. It is inherent in the information technology and security teams to do their own jobs. I know that is boring. It is the job of the CISO/CIO and often CFO to find the seams and filling them in. When you know the expectations the job is a lot more rewarding. To be sure it is not in the companies best interest to not leave you all scrambling for perceived crumbs.
Management is all about tying buzz words to organizational change. Without really considering the ramifications of change when it is completely opposite to the requirements of information technology and security. Buzz words like DevOps and innovation by disruption sound good in the board room. When companies or organizations talk about disruptive innovation it has one written down meaning, but it has an impact on information technology and security that is completely anomalous. The question that DevOps is trying to answer is not disruption of the information technology enterprise but enabling operations at the point of delivery by close coupling the development product life cycle. The question unanswered by disruption adherents is how that applies to an information enterprise analyzed and supporting metrics of stability? Other than being some code language from vendors I tell people that BE AWESOME and do your job day in and day out. It is difficult and few can do it. In almost all cases the job really can not be outsourced. Standardize, document, and create an environment that is stabilized and work will get better. I’ll mention one more story.
Brian worked for me at a major corporation. He did awesome and we talked often about what the job of a system administrator was really about. I told him his job was to make sure there was no down time, do what ever it takes to stabilize an environment, and secure it to the point that it was self tending. After nearly a year he got an offer at a company paying way more than I had a budget to pay him. I had him close out his projects and a couple of weeks later we sent him on his way.
Brian went to the new company and worked day and night to stabilize their environment. When he started the normal course of business was 4 to 6 hours of unexpected network outages in a 24 hour period. The company thought that was normal. Brian after six month got the out of maintenance window outage time to zero. A sales manager walked into the data center that Brian was now running and complained about Brian’s cowboy boots up on his desk. The CIO called Brian on the carpet for a scolding where Brian told his boss, “Boss, I will quit right here unless you reprimand the sales manager. The network is running, it is running without faults, and I am in the office from 9 to 5 Monday through Friday. I am also here on Saturday nights and Sunday mornings. If I have my feet on my desk that means you are doing business. If that is wrong I don’t want to work for you.” A few months later when the CIO left he hand picked Brian to take his place.
Brian was never stressed and I learned as much about equanimity from him as he learned operations from me. I am not a calm person. I really don’t like people that much. I do well in small groups. I can work in larger groups but I prefer one on one communication. It isn’t that I’m introvert (I’m blogging, right?) it is that efficiency of communication decreases as the numbers involved increase. Equanimity is something I miss and have a hard time maintaining in my work life balance. The domain of information technology and security as a job is like gambling at a rigged slot machine you can never win on. That doesn’t mean you don’t try. You create in yourself an ability to live up to the credo of AWESOME. Educate yourself, give up the things that are external to you, care about the people you work with, you are not their keeper, be agile, adaptive, creative, and innovative in your solutions. Kiss a user for your job, or at least tell them thank you randomly. Know the reality of the job but don’t be owned by the fantasy imposed by others.
After all YOU ARE AWESOME…