Doom, Gloom, and Infosec


I’m perennially happy. I am almost always in a pretty good mood, despite my inherent sarcasm and less-than-politically-correct approach. But I get the impression that many in infosec are not. Everyone is different, and I don’t want to stereotype, but I do run into a lot of gloomy folks. Why is the infosec profession so unhappy in general? I closed out the IANS forum in Chicago today (which ROCKED, by the way, just too much awesomeness in CHI to contain), and Ron Ritchie made some comments that I thought were pretty spot-on in his closing thoughts. He mentioned a few good reasons to be in infosec, and I’ll list some below, including his:


Reasons infosec rocks:

  • Money is good! (Ron)
  • We have tons of interesting things to work on! (Ron)
  • We bring real value to our organizations! (Ron)
  • We can actually detect and prevent crime in some cases!
  • We have one hell of a solid career path, in general!

I’m sure this all sounds good. High-fives all around! Hmmm. Wait. We’ve still got that “Sad Panda” problem. So there are surely some negative aspects to infosec as well. What are they? Based on my experience as a practitioner, consultant, trainer, and general curmudgeon (albeit a pretty jolly one), a few things I can think of:

Reasons infosec sucks:

  • People ignore us, hate us, or perceive us as roadblocks. Or all three.
  • Infosec never seems to be “done”, ever. Always an ongoing endeavor.
  • The landscape in infosec changes so rapidly it’s difficult to keep up.
  • Overall, infosec is “hard”.
  • Related to the first point in this list, we may feel “at odds” with business units and IT organizations.
  • There’s a general sense of “futility” – we can’t “win”.
  • Our career paths are wack – do we really have any respect?

Surely I’m missing things here, likely both good and bad. However, being the “glass half full” kind of cat that I am, I am inclined to think the list of “things that rock” far outweighs the list of things that suck. Seriously! What are we so worked up about? Lots of jobs are much drearier than most of ours. And people make the best of them, get the paycheck, and go have a life outside of work. I won’t even try to speak for everyone here, that’s crazy, but I see a lot of people internalizing their positions and the issues they see in their jobs, when they should really be trying hard to leave that stuff at the office. Infosec is not a calling. There, I said it. It’s not. It’s not a crusade. It’s not the end of the world if a security control fails, or an employee gets phished, or you lose some data. Sure, it SUCKS and all, but deal with the stress of the moment and move on! Life is short. Enjoy the good aspects, deal with the bad, and most of all, get some hobbies that do not involve a computer, security, or anything else related to infosec. I love this field with all my heart, but I recognize that this is not sustainable. So…why are folks so burnt out? What am I missing here?