Doom, Gloom, and Infosec


I’m perennially happy. I am almost always in a pretty good mood, despite my inherent sarcasm and less-than-politically-correct approach. But I get the impression that many in infosec are not. Everyone is different, and I don’t want to stereotype, but I do run into a lot of gloomy folks. Why is the infosec profession so unhappy in general? I closed out the IANS forum in Chicago today (which ROCKED, by the way, just too much awesomeness in CHI to contain), and Ron Ritchie made some comments that I thought were pretty spot-on in his closing thoughts. He mentioned a few good reasons to be in infosec, and I’ll list some below, including his:


Reasons infosec rocks:

  • Money is good! (Ron)
  • We have tons of interesting things to work on! (Ron)
  • We bring real value to our organizations! (Ron)
  • We can actually detect and prevent crime in some cases!
  • We have one hell of a solid career path, in general!

I’m sure this all sounds good. High-fives all around! Hmmm. Wait. We’ve still got that “Sad Panda” problem. So there are surely some negative aspects to infosec as well. What are they? Based on my experience as a practitioner, consultant, trainer, and general curmudgeon (albeit a pretty jolly one), a few things I can think of:

Reasons infosec sucks:

  • People ignore us, hate us, or perceive us as roadblocks. Or all three.
  • Infosec never seems to be “done”, ever. Always an ongoing endeavor.
  • The landscape in infosec changes so rapidly it’s difficult to keep up.
  • Overall, infosec is “hard”.
  • Related to the first point in this list, we may feel “at odds” with business units and IT organizations.
  • There’s a general sense of “futility” – we can’t “win”.
  • Our career paths are wack – do we really have any respect?

Surely I’m missing things here, likely both good and bad. However, being the “glass half full” kind of cat that I am, I am inclined to think the list of “things that rock” far outweighs the list of things that suck. Seriously! What are we so worked up about? Lots of jobs are much drearier than most of ours. And people make the best of them, get the paycheck, and go have a life outside of work. I won’t even try to speak for everyone here, that’s crazy, but I see a lot of people internalizing their positions and the issues they see in their jobs, when they should really be trying hard to leave that stuff at the office. Infosec is not a calling. There, I said it. It’s not. It’s not a crusade. It’s not the end of the world if a security control fails, or an employee gets phished, or you lose some data. Sure, it SUCKS and all, but deal with the stress of the moment and move on! Life is short. Enjoy the good aspects, deal with the bad, and most of all, get some hobbies that do not involve a computer, security, or anything else related to infosec. I love this field with all my heart, but I recognize that this is not sustainable. So…why are folks so burnt out? What am I missing here?


  • J4vv4D, 9th Wednesday 2011 at 8:59 am

    Spot on Dave… now this is what I’m talking about.

    You’re absolutely right. We’ve got so many great things going for us in the industry. You can choose to delve into the depths of technology, coding, exploits or go for a wider risk path. There are also so many great people to meet, network with and learn from. Which is probably why there are so many rocking conferences around. We have people who are genuinely excited and passionate about their chosen field of work… and that alone is worth a smile a day 🙂

  • jericho, 10th Thursday 2011 at 2:25 am would be a great reason ‘infosec sucks’ and would surely explain burnout for attrition staff.

  • @451wendy, 10th Thursday 2011 at 8:33 am

    Your assertion that “infosec is not a calling” is going to prompt a lot of discussion, I think. 🙂

    Those folks whose self-identity is based on rescuing or saving others are going to internalize infosec; they can’t help it. And because of all the roadblocks you mention, they’ll find a never-ending supply of windmills, but will very rarely be able to rest on victories. Maybe it’s that combination that leads to stress and unhappiness.

    For that matter, if you have a need to “win” and you can’t win at infosec, then at least you can “win” over your fellow infosec practitioners. Which explains a lot of the rest of the debates. 😉

  • Pingback: Episode 519 – Infosec Whiners, Rogue Risk Manager, Steve Was Right, Comcast’s Native IPv6 and 5 iOS Tips | InfoSec Daily

  • Davienthemoose, 10th Thursday 2011 at 9:05 pm

    I think saying “people don’t listen” is an oversimplification.

    It’s not that people don’t listen; it’s that many orgs say “Go make us secure!” an then say “Don’t do that!” to most, if not all of the things that infosec pros know will fullfill that goal. And it’s not a difference of communication or a misalignment of priority; it’s a fundamental difference in culture between infosec pros and those who pay for infosec pros. Infosec pros want to do the right thing; everyone else wants to do whatever they want and have all those inconvenient requirements just leave them alone.

    The burnout comes from knowing what is wrong, feeling responsible for it, and being told not to do anything about it (but say you are).

    Defense does suck. We spend more time fighting with our own side to get the right tools, the right training, the right policies, the right backing, an the right people to have a chance at fighting “the bad guys” than we do actually doing the job we were hired to do.

  • Pingback: Network Security Blog » Open Tabs 11/11/11

  • Pingback: Open Tabs 11/11/11 | 安全业界观察

  • Pingback: Does Offensive Security Really Exist? | 安全业界观察