Security: Taking the Long, Long, Long View

Helen Patton
5 min readDec 4, 2022

We are at the time of year where Security folks make predictions about the year to come, or review the year that has been. I admit I’ve done this once or twice, myself. But not this year. As I thought about it, this year as a Security leader was a lot like last year, and next year will be more of the same. Things change really slowly in security, regardless of how many new vendors appear on the RSA vendor floor.

Photo by Simon Berger on Unsplash

While I was thinking about that, I had a typical week in security. The security team achieved some stuff — successful audits, completion of projects and plans, positive feedback from partners. There were also any number of industry security events that prompted an unplanned reaction within the security team; a request for budget and resources was only partially filled; and a non-security leader who deferred addressing a security issue in favor of a higher business priority.

I suspect my experience is typical of most security leaders: the same tactical things happening week after week, and industry issues and themes that remain constant year after year.

If the popular definition of insanity is doing the same thing but expecting a different result, is it any wonder that security leaders are burning out, moving quickly from role to role, and generally feeling discouraged?

As I reflected on this, I did what I usually do… I took to the socials (LinkedIn, Mastodon) to see what the rest of the community thought about this:

Posted on LinkedIn

Two things stood out in the answers:

  • First, no one could think beyond about 3 years in terms of “long term”. There was “how long you want to stay at said organization” (which in industry terms means, on average, 2 to 3 years, max). There was a talk of horizons, “now, next, or after next”. There was a suggestion that the human brain can’t handle more than a 100 day time horizon.
  • Second, some responders thought thinking long(er) term was a fools errand. They suggested that measuring progress using tactical measurement was the only way to go:

Forget about “long game”, make small incremental…

Helen Patton

Written by Helen Patton

1.2K Followers

Cyber Security, Technology Ethics, and Humanity. What else? I can be found at CISOHelen.com or on Twitter @CisoHelen or on Mastodon @cisohelen@infosec.exchange

More from Helen Patton

Recommended from Medium

Lists

An abstract image showing data connecting with graphs in the background

Business

30 stories22 saves

Company Offsite Reading List

8 stories51 saves
Kim Scott Radical Candor

How to Give Difficult Feedback

7 stories202 saves

How to Lead Well as a New Manager

14 stories208 saves

Help

Status

Writers

Blog

Careers

Privacy

Terms

About

Text to speech

Teams