We are at the time of year where Security folks make predictions about the year to come, or review the year that has been. I admit I’ve done this once or twice, myself. But not this year. As I thought about it, this year as a Security leader was a lot like last year, and next year will be more of the same. Things change really slowly in security, regardless of how many new vendors appear on the RSA vendor floor.
While I was thinking about that, I had a typical week in security. The security team achieved some stuff — successful audits, completion of projects and plans, positive feedback from partners. There were also any number of industry security events that prompted an unplanned reaction within the security team; a request for budget and resources was only partially filled; and a non-security leader who deferred addressing a security issue in favor of a higher business priority.
I suspect my experience is typical of most security leaders: the same tactical things happening week after week, and industry issues and themes that remain constant year after year.
If the popular definition of insanity is doing the same thing but expecting a different result, is it any wonder that security leaders are burning out, moving quickly from role to role, and generally feeling discouraged?
As I reflected on this, I did what I usually do… I took to the socials (LinkedIn, Mastodon) to see what the rest of the community thought about this:
Two things stood out in the answers:
- First, no one could think beyond about 3 years in terms of “long term”. There was “how long you want to stay at said organization” (which in industry terms means, on average, 2 to 3 years, max). There was a talk of horizons, “now, next, or after next”. There was a suggestion that the human brain can’t handle more than a 100 day time horizon.
- Second, some responders thought thinking long(er) term was a fools errand. They suggested that measuring progress using tactical measurement was the only way to go:
Forget about “long game”, make small incremental…