Keep The Security Light On Without Burning Out

At BC Aware Day in Vancouver this past February, I was lucky enough to attend Jack Daniel’s InfoSec Survival Skills talk. Check out the recording or find Jack at a local security conference near you. Jack’s talk focuses a lot on the stresses and triggers we deal with as security practitioners and the coping mechanisms his peers shared with him. All of this got me thinking about the other side of the equation, what keeps us interested in working the field of information security?

Many people are interested in a career in information security, and part of that is the wealth of jobs that are available now and a projected shortfall of over 1.5 million skilled infosec employees by 2020, according to (ISC)². There are many paths to a career in infosec, and when asked how to “break into cybersecurity”, I often point people to Daniel Miessler’s excellent article on the topic. While the reasons for and paths to a career in information security vary as widely as the potential job roles in the field, there are some common threads.

Most of the infosec peers I encounter are curious about how things work, and either how to break them, how to defend them, how to build them, or a bit of all three. There’s also a common thread of healthy paranoia, that our systems and data aren’t nearly as secure as we might want to think. This paranoia can easily become unhealthy, and lead to worrying too much about breach and compromise scenarios well beyond probability to occur or the possibility to prevent them. However, it’s this same paranoia that enables a security person to see the flaws and attacker motivations that may be less apparent to others.

Over the last few years, revelations about backdoored encryption standards, government eavesdropping, and an unending litany of breached organizations and personal data has borne a lot of that paranoia out to be true. Taken alone, these news reports are something most non-infosec people can easily block out. When combined with the daily work of penetration testing, securing infrastructure, threat hunting, and/or other tasks in a typical infosec career, it can easily become a case of too much bad news, all the time.

The Sisyphean challenge of infosec can be daunting. No infrastructure or application is ever completely secure. Indeed, the most realistic approaches to information security focus on raising the cost for the attacker and frustrating them before they can successfully find and exploit a vulnerability. Even in the utopian world of a 100% secure environment, there will always be people who can be socially engineered via all manner phishing, waterholing, tailgating, and other well-known methods of exploiting human weakness.

In my experience, there are few ways to combat the burnout induced by striving for what is an almost unreachable goal of “being secure”.

Engage with your peers

Whether it’s taking a break to have lunch at work, or finding some thoughtful people to follow on Twitter or a blog, seek out like-minded infosec people to talk about your triumphs and frustrations. Following and engaging infosec people on Twitter helped me re-invigorate my passion for infosec after nearly 15 years into my career.

Write

This might be on a personal blog you don’t advertise, or even just a journal that’s not on the Internet, at all. Whatever way you choose to capture your ideas about infosec, the act of writing them down can be immensely therapeutic and help you to reach greater insights about a particularly frustrating challenge or expand the spark of some innovation.

Attend conferences

Attending security conferences can be exhausting, physically, mentally, and financially. Especially if they’re mega-conferences like RSA or BlackHat. However, check out your local Security B-Sides, OWASP, ISSA, or other smaller conference or meetup group like TOOOL (for those into physical security and lockpicking). Attending these conferences or local chapter meetings will expose you to new ideas and enable you to talk about infosec without being focused on the specific challenges of your day job.

Stay curious

Rather than focus on the frustrations, remember what got you into infosec to start. In most cases, it’s curiosity. Seek out projects on your day job or side job that spark that curiosity. Get involved with a local security meetup or maybe even start one of your own.

Take a break

For many of us, side projects and hobby projects end up being very similar to our day jobs. Despite that similarity, it can be therapeutic to pursue that hobby because no one is pushing you but your own curiosity. For others of us, we need a complete break from infosec. The same curiosity that pushes us into infosec yields a lot of seemingly unrelated hobbies in everything from music to carpentry.

Teach

Teaching is a great way to give something back and find new love for the work you do. Many high schools and colleges have volunteer opportunities for infosec or cybersecurity professionals. Jimmy Vo and Keith Hoodlet have also recently launched an InfoSec Mentors project to help match up willing mentors with those eager to learn.

Unless you’re lucky enough to retire early, we will all have long careers in infosec. In a field where the bad days are often more memorable than the good ones, it’s important to find ways to keep your passion for infosec burning. Fortunately, infosec is also populated by many professionals looking to help each other out and foster a real sense of community and mutual support. Whether that community is in your own organization, on the Internet, at a local meetup, or some combination, it’s never been easier to get engaged.