It would be false advertising to suggest that every day is amazing when you work in Information Security. Like every job, there are ups and downs, wins and losses, good days and bad. But this job, more than any other I have held, always seems to get this response from non-Security folks:
I don’t know how you do it
I’m always surprised by this question, as it seems completely obvious to me why Security is a great thing to do.
I don’t think this question comes from the technical difficulty of this job — we’re not (usually) rocket scientists. The sentiment comes from an understanding that the threats are never ending, the layers of people and technology and systems are like a maze, and the impacts of failure are professionally and personally wide-spread and acute, all at the same time.
I think this question comes from another place, where people don’t want to think about Security any more than they have to. Once, when interviewing for a position, the non-Security interviewer said to me:
“I don’t know why anyone would want to work in Security”
which at least is a more honest version of “I don’t know how you do it”, although not particularly endearing to this job applicant.
People in Security have an image problem — and I’m not talking about the non-diverse, hoodie-wearing kind of image problem. We have trouble talking about what Security is, yes, and more importantly we have trouble talking about why we choose to work in this industry.
As a leader in an organization, a CISO’s ability to set and execute strategy, and influence cultural change, starts when the organization trusts them, as an individual. As the leadership books will tell you, trust is the basis that powers the actions of the organization.
Security leaders have a particular problem, then, if the people around them cannot understand why the leader chooses security. It makes them inherently UN-trustworthy, perhaps even devious, maybe even incompetent, and certainly not worthy of respect.
The ability of a Security leader to articulate why they do what they do is a critical tool in their “getting stuff done” toolbox. It needs to be carefully considered, discussed with colleagues and friends, and honed to a carefully worded (elevator) speech, to be pulled out whenever someone mutters
I don’t know how you do it
Recently, I’ve been reading a book called “One Piece of Paper: A Simple Approach To Powerful Personal Leadership” by Mike Figliulo. In it, Mr. Figliulo asks a set of questions designed to get you thinking about your leadership philosophy. The first question he asks is
Why Do You Get Out of Bed Every Day?
I admit I have found this to be an intriguing question, and one without a tremendously easy Security answer. So, I did what I always do when I run into a question I cannot answer, I went to Social Media to see what other Security people thought.
Admittedly, this isn’t a scientific survey, but I find the Security community always willing to pile on to a good intellectual problem (one reason I like working in Security), and this was no exception.
The good news is that most of the responses fell into similar categories, and are reasonably easy to explain:
CISO as Protector
Folks in this category often come from a military or other service background, but not always. They believe that Security is a service that supports the whole community, that enables our individual liberties, and often describe their Security programs in terms of “Battlefields” and “Safety” and “The Greater Good”. They want to enable their business colleagues to do whatever it is they do, while the CISO keeps them safe — from themselves, and from others.
CISO as Puzzle Master
Particularly for those that arrived in Security from a technical background, a number of Security leaders love Security because of the intellectual challenge. They see the threat landscape, and their institutional response, as a game of Chess to be thoughtfully and intelligently managed. Typically, these CISOs are really, really good at this kind of thinking.
The interaction of all the pieces and parts come together on a good day to provide a beautiful puzzle picture.
On a bad day, Knight takes King and it’s all over.
CISO as Moral Crusader
For these folks, Security makes up a piece of management that aims to make data, and data/systems usage as Ethical as possible. You see them, often, hanging out with their Privacy peers, or talking about the impact of data integrity on research outcomes, or the protection of voting systems. They understand Security to be the bedrock of our public institutions.
It may not mean a battle — it may mean a good, long, data driven analysis — but their cause is pure.
CISO as Change Agent
Let’s face it, Security is a field that is constantly shifting. New threats, new technologies, new regulations. For many CISOs in this category, they revel in the role of someone helping an organization to navigate these waters. They love that every day their job will provide something new and different. They get bored really, really easily, and this job doesn’t allow that to happen.
These CISOs are also notorious for wanting to learn new things. When you want an example of a “continuous, lifelong learner”, look no further than your friendly organization CISO.
For me, there are pieces of all of the above which resonate. If you’ve read any of the rest of my stuff, you’ll know this is true. But being a protector, or a puzzle master, or a moral crusader, or a change agent, are not primary reasons to get me out of bed. My motivations are much more mundane.
I value stability. I value calmness. I value predictability and order and dependability.
I want to know that when people engage with my institution, that our data have integrity. I want them to know that systems will work when and where they want them to work. I want people to trust that we can do what we say we’re going to do, every single time.
To get there, the CISO job is crazy, and changeable, and exciting — and I love everything about it. To get to my goal of order from chaos, I need to be smart, and committed, and a crusader. I need to collaborate with my industry colleagues, and teach students the wonders of Security.
But the end result is none of those things. The end result should be plain old vanilla ice cream. Nothing fancy, but a little bit sweet. A non-story that no one should hear about, or think about, or read about.
As an industry, we’re not there yet. As an industry, we’re more like an ugly sausage making machine than an ice cream store. And this is why people say:
I don’t know how you do it