Show Notes: https://justinfimlaid.com/the-cavalry-is-not-coming

Sponsor: https://www.nuharborsecurity.com

Contact Me: https://justinfimlaid.com/contact-me/

Twitter: @justinfimlaid

LinkedIn: https://www.linkedin.com/in/jfimlaid/

I hear it all the time, security burn out is high. I wasn’t until this week that I realized that folks got the reason for burn out completely wrong.  After listening to someone tell me that a large tech company burns out their staff due to work volume and rotates the staff every 2 years I realized we have it twisted.  I don’t know about you, but most security folks I know love doing security and a 60 hour week hasn’t burnt anyone out when they do what they love.  If a 60 hour week does burn you out, then I’d recommend changing your work profession as a matter of mental health.  Go do something you love to do, then no one would have to pay you to work because you’d do for free because you love it.

As a former CISO I can say first hand that the work never burnt me out.  The environment and people are what burned me out.  What I mean by that is that having accountability for security and no direct responsibility for security in a $6B organization was incredibly stressful. Most security folks I know are in this spot. They have accountability for enterprise security but the role and action of security is distributed across the organization. 

Also – there should be some segregation of duties between IT and Security.   Since security is often monitoring an environment they often see mistakes make by peers in the company outside of security.  Those mistakes can make  security challenging, but those same peers often have little motivation to clean up those mistakes unless it directly impacts their job.  So, security having to feel like they are in the position of digital janitor and clean up can be exhausting.  There’s only so many times you’ll clean up the spilled milk before you just leave it spilled.

Security leadership has become a political position, evangelizing for security, educating you work colleagues on security all so those same company peers when faced with a security decision will self-select the correct decision related to security when no one is looking.

To amplify matters, you don’t have all the budget you need or want to do your job. Nor likely do you have all the actual authority to make that decision you want to.  The threat landscape is also shifting so tomorrow is always a new type of cyber attack.

All this is to say that it’s a tough job.  Not because of work load only, but the surrounding intangibles of working in organizations who probably are excited to pass off security can be draining.

I’ve got news for you, the Cavalry is NOT Coming.  You are on your own.

For those of you listening to this maybe not grasping the challenge, let me propose an analogy.  We’ve all been out to dinner at a restaurant. Let’s say being a CISO is like being the chef of the restaurant. In this analogy the chef is accountable for your meal, but not responsible for preparing it or delivering it.  The chef has a partial budget, and needs to convince other kitchen staff to pool their budget to buy the food needed to serve the menu.  The kitchen staff, however, also have other department chefs they work for that diverts their attention.  To make matters more complicated, the kitchen is consistently invaded by rodents and kitchen hygiene is hard to keep up with. Our chef also has limited say as to the quality of food prepared, presentation of the food, and delivery of the food.

Now, if you went to a restaurant and knew your chef had limited budget, they chef was not directly responsible for the kitchen staff, the kitchen staff also served other department chefs (so they have limited attention to your meal), the chef had no say on how your food was plated or served, and the kitchen was occasionally raided by rats, how good do you think your meal would be? And more importantly, how confident and happy do you think the chef would feel about his or her work? If it’s me, I’d be surprised if a meal came out at all.  And if it did, I can’t imagine it be anything of quality.

In very rare situations do I see a CISO or security staff that has all the support and budget they need.  For everyone else security is a political position trying to sell their organization on the merits of trying to do the right thing related to security.  The most successful security folks I see have amazing soft skills to negotiate and persuade others in the company to self-select the correct behaviors.   But does this seem right?  Does it seem right that someone at Equifax was evangelizing for security but no action was taken? Does it seem right that someone at Target was evangelizing for security but a project that could have prevented the breach was put on the back burner?  Does it seem right that when something goes wrong, that a CISO needs to take accountability when in actuality they probably weren’t given the responsibility to do what folks think they should be doing?

No.  But the Cavalry is not coming.  You are on your own.

If you’re stressed out or burnt out you need to know and accept is the Cavalry isn’t coming.  You need to figure this out. I will say you’re not alone. But oddly, folks seem to think that somehow it’s going to get better all by itself.  Guess what…it’s not.  But you can’t roll over and die, you need to start somewhere at making your situation better.

There is no secret recipe, but making your situation better starts by understanding the root cause and finding a why you do what you do.

If something is uncomfortable, then you should lean into it.  It’s uncomfortable its probably because you’re bad it. That’s okay.  Step 1 is realizing you need work.  Step 2 is doing something about it.

If you know you need better sales or negotiating skills you need to practice.  The only way you can do this is by getting more at bats.  You can’t read a book or download a file to your noggin like the matrix.  It takes practice. Listen, you can have the best idea in the world but it doesn’t count for anything if you can’t share in a way people can understand.

If you need technical help.  Help yourself first.  There’s so much free open source security tools out there.  Practice downloading, installing, and operating the software.  Learn on your own time.  Most companies are willing to give someone a chance if they can show the right attitude and aptitude.  This is a way to show both.

If you’re perfect.  You’ve done everything you can do.  And you’re not getting the love you feel like you deserve, then quit.  Find a new job.  Listen, I’ve been in environments when executives understand security behaviors and actually care.  I’ve been in environments where, in my opinion, executives keep security as a necessary evil, and would point their finger it two seconds to the security team if something goes wrong.  Both environments are light years apart.  I’ve been in security for a while, there’s two things I won’t do.  Work for people who are a pain the ass, and work with people who are in the pain in the ass.  You shouldn’t either.  Life is too short.

The Cavalry is not coming.  You’re on your own.  But you can do something about it.