“I can’t believe anyone would want to work in security”, said the interviewer.
At the time, I was completely gobsmacked that a senior leader would say something like this, during an interview no less. Since then, I’ve learned that most non-security people harbor similar thoughts: why would any self-respecting person want to work in a thankless, stress-filled, under-resourced profession like cybersecurity?
I admit to harboring these thoughts myself, especially during times when I feel like all my efforts are going nowhere. Why do perfectly smart, driven, trustworthy people continue to throw themselves on the fire of ignorance, apathy, and disregard that is the typical organizational response to security risk?
And Then Came 2020…
For some of us, 2020 meant a turbo-injection of funds to speed up security projects to support secure remote working. These security teams went into overdrive, achieving things in a timeframe they didn’t think possible. Long hours, but an improved risk posture.
For others, 2020 meant a budget cut, and our industries sputtered. We learned that when there is only $1 to spend, none of it will be on security. A logical business risk decision, of course, and also a reminder that for those security teams that their work is expendable.
For all of us, regardless of budget, 2020 also meant increased phishing, ransomware, and other interesting threats. Let us not forget our fellow employees, who were trying to hold it together by working from home and at the same time paying little attention to the security of their home network or how confidential they were keeping company data. Let us not forget our vendor partners, struggling with the same issues as us.
To top off 2020, when it couldn’t seem to be much scarier, we ended the year with an interesting nation-state hack. The fallout from the event is not yet fully understood, but for security teams we know it will continue into the future, influencing regulations and partnerships, and security strategies.
2020 was the year I most loved working in security.
When our world shut down, and people were working from home in stressful situations, there was a lot of buzz in the general community about being intentional to take care of one another. Management articles sprouted like mushrooms about how to show empathy. Leadership discussions took place about giving flexibility to staff as they balanced work and home and school.
Do you know? In security, we were already doing those things.
Was it because we are a more empathic group of people? Was it because security attracts people who pay attention to the community? Was it because security people are inherently more flexible, that our work style required the ability to pivot quickly?
Instead, I suggest that security is a profession where people have to take care of one another, in ways that other professions don’t — and that when 2020 hit the skills we had already learned served us well.
What skills am I talking about?
Security people support each other
There are plenty of stressful jobs out there, for sure. Few of them have stress from being misunderstood.
When you work in security, your job is to help other people be more secure, even if that isn’t what they want. It’s to help other people avoid landmines they cannot see, to plan for events they don’t think will happen, and to recover when those events inevitably occur. Non-security people rarely understand this. They think security is administrative overhead, or misguided over-protection, or compliance overreach.
When you work in a function that is misunderstood, you turn to others who do what you do for support. You lean in to help out others who are struggling with the same challenges. You check in regularly to make sure other security people are doing OK. You learn early that you need one another in order to succeed — and this is a skill that we ALL learned in 2020.
Security people can read the room
When you work in security, particularly in a leadership role, you need to work extra hard to make sure you understand where other people are coming from. You need to understand what is motivating them, and what they value, and what is getting in their way.
When COVID hit, we were all asked to take time out of our work conversations to ask “how are you doing?” and “what do you need?”. We were asked to consider the living arrangements of our teams — who was looking after small children, teenagers, or aging parents. We were asked to consider people’s mental state — were they doing well, or barely holding on. Some people were able to use 2020 to move ahead in leaps and bounds, while others were barely able to make it through the day. Knowing the state of who you were talking to was so critical, and we all needed to stop and work this out.
Security people do this all the time (we all need to do this all the time — it’s just that some of us don’t) in order to influence and cajole and convince. It goes with the security territory. So when management gurus were reminding people to check in with others, be understanding of their situation, consider their perspective when conflict arose, security people were already there.
Security people are resilient
When you are in a job where every day you have to imagine the bad things that can happen, you develop coping skills.
There is an order to working in any risk management function, including security. Regardless of the risk type, you evaluate the threats, plan ways to mitigate the threat, respond quickly when bad things happen, and recover. Rinse, repeat. You learn to spot where you are in the cycle and have a plan to move to the next phase.
This structure is a coping skill. When COVID hit, security people quickly recognized the pattern — react, respond, recover — and quickly stepped in to deal with the issues as they arose. For people not used to this cycle, it was more difficult to see what to do next, or why. Security people didn’t have all the answers any more than anyone else — but they had a path they could see and a way to follow it.
When 2020 became the dumpster fire that it was, I was already working in a community of people who actively took care of each other, paid close attention to how everyone was doing, and used strategies to keep moving through the issues of the day.
There is no community I would rather be a part of, in any year.