Think your job is tough? Unless you’re in information security, puh-leeze. Those guys (and they are mostly guys, but that’s a whole different story) have it really rough. Sure—every job on the planet has tradeoffs, and there will always be some good days and some bad days. But anyone who’s responsible for cybersecurity within an organization is in a particularly challenging position, for a whole bunch of reasons.
It’s a thankless job—literally.
No one ever sees an InfoSec person in the hall and says, “The systems are up, running great, and threat-free—Awesome job, thanks!” This is one of those jobs that, when done well, is completely undetectable. There are no kudos. But when things go wrong, all they get are complaints. And as we know, a lot can go wrong, although even that is in the eye of the beholder. Getting hit by a breach is an obvious one that makes for a Very Bad Day. But there are many others to be concerned about… maybe the email filtering tool updated its software and managed to quarantine a bunch of legitimate messages employees have been waiting for but never saw in their inboxes. A lot of users are going to start complaining, and some will blame the messenger, and that’s no fun either. But the long stretches of days, weeks, months—even years if they’re exceptionally lucky—when everything is running smoothly and securely? Crickets.
There really is a global shortage of cybersecurity talent.
The latest research from (ISC)2 finds the shortage of cybersecurity professionals is close to three million globally. That’s good for the InfoSec folks, you might be thinking. They can pick and choose which companies they work for. They can command higher salaries. Maybe. But there’s another side to this story, one that affects all of us. The same study found that 59% of respondents say this shortage leaves their companies at moderate to extreme risk of attack—not to mention the potential for burnout. According to CyberSeek, the total U.S. employed cybersecurity workforce is 768,000, and there are still 302,000 cybersecurity job openings (which tracks with the (ISC)2 data that estimates a North America shortage of 498,000). When a job is unfilled, it often means that others in the company have to take on those tasks. The numbers mean that every cybersecurity employee on average has to do the work of 1.4 people. That’s 40% more work, and 40% more responsibility. But not for 40% more pay.
Did we mention end users?
It’s hard enough to run a tight cybersecurity ship. Enterprise networks are insanely complex, and to say that those networks are porous is a vast understatement today. There are so many applications and so much data that need to be secured on a continuous basis, and it’s a moving target: the business is adding new systems, vendors are delivering new versions with cool new features, and security patches are being released and must be quickly deployed. On top of all of that, there are the end users. They’re nice people (mostly). And they’re pretty good at their own jobs (mostly). But they’re not cybersecurity experts, and they sometimes do things that compromise the systems and data the InfoSec team is responsible for protecting. In fact, a huge proportion of security incidents stem from human behavior or error—clicking links they shouldn’t, losing devices, falling for a phishing ruse, etc.
Balancing the tradeoffs can be tough.
And speaking of end users, it may sometimes feel like the company’s security policies and controls were created just to make your life difficult. While usability and security aren’t direct opposites, there is often an inverse correlation, so InfoSec has a challenging balancing act to maintain. Sometimes usability (which you see) is a casualty of the only tools the team has at their disposal to ensure security (which you don’t see). And then compliance gets thrown into the mix, which might drive additional controls that could feel excessive from the end-user perspective. Blame the politicians for those.
When—not if—the worst happens, be ready.
The unpredictable nature of cybersecurity attacks, or even lower-level “incidents,” means that at any moment, regular priorities and activities are thrown out of whack while the InfoSec folks race against time to find the source, fix the problem, mitigate the damage, and report to the higher-ups. According to a Ponemon Institute study, it takes companies an average of 66 days to contain a data breach. That’s two months of high-pressure, high-visibility toil—consuming many long nights and weekends—while the regular work piles up (and don’t forget, they’re shouldering the responsibilities of 1.4 people). Incidents aren’t the only time InfoSec professionals have to scramble. While security is gaining priority in boardrooms and planning sessions across the board—which means it has a higher chance of being baked into strategies and initiatives from the start—there are still plenty of cases where it’s an afterthought. Which means InfoSec is under tight deadlines to find a way to retrofit security into systems and projects that have been underway for months, if not years.
Be a better cybersecurity corporate citizen—and make some new friends.
It’s not that you don’t understand what it’s like to have a really hard job and to feel underappreciated. It’s because you do get it that you should make a little extra effort with the all-“guts-no-glory” InfoSec team. Pay attention to (and heed!) those security policies and procedures. They exist to protect you and the organization you work for from breaches and non-compliance penalties. Educate yourself on why those policies and procedures are in place. Get to know the team. They’re people! Did you know that November 30 is Computer Security Day? It’s a great time to start a new appreciation for and relationship with the InfoSec team. Maybe take them out to lunch or just bring them a pizza. You might even discover you have some things in common.