Finding Security Energy
The average tenure for an InfoSec Executive is two to four years. This isn’t a particularly long time, in business terms. This isn’t a long time in any term. There are a number of reasons for this, including the hot job market we’re in (a bigger paycheck can always be tempting) but I have another theory: Security people get bored easily.
Let’s face it, when incidents happen, the Security job can be an adrenaline rush and a power trip. We get to see pretty much everything happening in our organization. We get to deal with crisis after crisis, and increasingly these crises involve us at the highest levels of the organization, in a command position. Security (or lack thereof) touches the heart and soul of an organization, and the Security Exec is at the center of it all. People attracted to Security Leadership often do so because of the thrill of the game.
How ironic then, that the better the Security Executive is, the less it is that a crisis will emerge. Now, I’m not saying that a company is less likely to be attacked (philosophically I would think this is true, but I haven’t seen empirical evidence of it yet), I am saying that even if an attack occurs it doesn’t rise to the level of a Crisis. A well managed Security program means that when the flag goes up, folks know how to respond calmly and efficiently. Senior leaders rest easier knowing that they are in good hands. Employees get on with the business of response and recovery (assuming recovery is even needed). Lawyers and Communications managers know what is happening and how to talk about it. Cyber Insurers are warm in their beds, knowing that they won’t be needed. You are still needed, but the heart-racing, sweat-inducing, where-is-the-super-hero part of the job is gone.
So if a high performing Security Executive has managed to smooth out the peaks and valleys of the job, where do they go to find positive energy, to emotionally engage in their work? Where can they find inspiration, motivation to continue to give 100% or more to their job, to lead their teams to higher performance?
Surround Yourself With Inspiring People
There are many Security Luminaries and Influencers. And surprisingly, they’re relatively easy to find. Find them. Follow them. Understand what they’re talking about now. See their talks, online and in person. Read their books. Branch out into related fields like Privacy, Emerging Tech, Psychology and Ethics. Whatever your interests are, follow those folks. Introduce yourself to them. Get engaged. Get energy.
Start Something New
Let’s face it — the Security job is never done. The environment changes, the technology changes, the threat actors change. Find a New Thing for your organization, and make it happen. Now, for those of you with limited budgets, this might mean an open source project, or a vendor partnership that has a mutually beneficial data sharing arrangement, or something like that — the point is to carve time out of your budget/people resources to experiment. It doesn’t have to be a Highly Visible Project either — it can be a Sneaky Skunkworks Effort — but find time to play. Most Security folk thrive on change — so make some.
Kill Off Something Less Valuable
Sometimes, in order to make room for something new, you have to get rid of something else. Look across your portfolio of services — what is no longer adding the value it once was? What can be replaced with something that does more than that old point solution? Marie Kondo your security closet. There is nothing like cleaning out Security cobwebs to improve your energy level.
Double Down on an Existing Thing
We all have tools and services, people and THINGS that are being underutilized. We’ve deployed 75% of a product, and left 25% of the functionality untouched. We’ve staff who are mid-level operatives who, with a little extra training investment, can become subject matter experts. We’ve deployed something to half the company, but not all of it. As you’re looking across your service portfolio, consider under-utilized things, and see if there’s a way to grow them further. Squeezing the last drop of value from an overpriced Security product can be highly energizing!
Learn a New Thing — and Talk About It
We know there are New Things happening in Security all the time. New tech, new philosophies of execution, new regulations. As a Security Exec, it’s easy to let someone else on the team become the Expert in these things — but this is also a place to spark new interest and thinking. Tired of Security vendors using AI terminology for every new thing? Go learn more about AI, and be more prepared to debate the merits of their products. Want to know more about Quantum and its impact on Security? Read widely. But don’t stop there. Learning for yourself is OK, but find a way to share your knowledge with others. Conferences and other community gatherings are great places to share and test your understanding. If nothing else, you now have a new way to scare your company executives with threat vectors they hadn’t previously considered. And that’s energy-giving.
Watch for the Children
OK, not the children, per se, but anyone new in the InfoSec industry. Remember what it felt like to learn a New Security Thing, when you were just starting out? It was like walking into Mr Wonka’s Chocolate Factory — amazed and delighted and salivating. There are PLENTY of people who are just now there — amazed at what they can do with Kali, delighted at their ability to know how the Dark Web works, self-impressed with their success at CTFs. Hang out with people like this. Find them, encourage them, mentor them. Their energy is contagious, and being around them will boost your own.
Help Put Out Someone Else’s Dumpster Fire
Just because your organization is now a sanctuary of Security Calmness, doesn’t mean everyone else’s is. We know that local governments, and non-profits, are under-staffed and over-attacked. Can you help them out? It could be joining a Board, but it could also be providing ad hoc security support. Some US states (like Ohio) are now creating volunteer cyber reserves, for the purpose of providing incident support to under-prepared organizations. Can you get your adrenaline rush that way?
Finding energy and staying inspired is a constant challenge for an under-stimulated Security Exec with a mature, fully operational Security program. Of course, you can continue to job hop but at some point there will be a great job you don’t want to leave, or family reasons which make you stay, or general life awareness that you’re tired of moving all the time. In that case, you have to find ways to reengage with your existing job, to recommit to the leadership of the position, and to invest in yourself.
The benefits to developing this skill are huge — for you personally (developing intrinsic motivation) and for your company (benefiting from your deep institutional knowledge).
May it be so.
