Slashdot Mirror
Are IT Security Professionals Less Happy?
zentanu writes "It's said that if you want to be happy, be a gardener. What about IT security professionals?
Having worked as an IT security consultant for several years, I now wonder if my job has a negative influence on my happiness, because it constantly teaches me to focus on the negative side of life: I always have to think about risks and identify all sorts of things that could go wrong.
As an auditor I search for errors that others have made and haughtily tell them. As a penetration tester I break systems that system engineers and administrators have laboriously built. I assume inside threats and have to be professionally suspicious. The security mindset surely helps me in my job, but is it good for me on the long run? What kind of influence has being an IT security professional had on your general attitude towards life? What helps you stay out of pessimism and cynicism? Is protecting existing things really as good as building new ones?"
YES.
Real Question: WHY?
Seven Days with Ubuntu Unity
I'm an IT consultant with over 30 years experience since I graduated. There are good times and bad times.
The good times for me were in the mid 1990's when I worked in the old Soviet Block. There, I could see the work I was doing making a difference.
The bad times were when the company I worked for got taken over and the whole job changed. Suddenly we were supposed to apply production line metrics to consulting assignments.
Luckily I got out and started on my own.
However in your job, it does weem that you are predominantly occupied looking at the down side of IT. Keeping those pesky hackers at bay is not a job I'd want to do.
I'm a fairly creative person. So I have concentrated in spending more time doing things outside of IT.
I've just signed a deal to get my first novel published. Not a huge amount of money. But I can concentrate on the positive for at least part of the day.
Perhaps you do really need to take a long hard look at your work life balance.
I'd rather be riding my '63 Triumph T120.
It's all about your attitude. Is the glass half empty or half full? Injurious suffering or ardent happiness is a choice.
Why do you think they call them server farms?
Seriously, being a system admin is like being a commercial-grade landscaper or farmer.
If a system admin has a good job, he'll have the authority to decide what to plant/what equipment to install, what to feed it and how often to water it/what scheduled hardware and software maintenance is necessary, etc.
He will also tend the garden/maintain the system and reap and share the rewards for his efforts/get paid and have happy customers or bosses.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
Come on. Get over yourself. Cops, laywers, doctors, nurses, paramedics, military people... these walks of life deal with human misery, pain and suffering every day. If you're so worried about offending your sunny disposition maybe you should join a convent.
Listen, in any field if you can't take enjoyment out of what you're doing then (a) you should change your profession, or (b) realize if you can't do (a) you're in the same boat with about 80% of the rest of the population.
As a member of the IT world, security-related or otherwise, you have intellectual challenges and brain-teasers to deal with on a constant basis. Testing your knowledge and skill, forcing you to re-evaluate whether you're as good as you think you are every step of the way. And yet, even in such a position you're bound to go through times when you find yourself working for some real asshole(s). They're no fun, either, but you have to keep plugging away.
Either that or apply for a job at the factory where they make those "Have A Nice Day!" bumper stickers. Oh wait ... that's in China. Never mind.
I used to be a software developer for many years and am not in IT security. For me, IT security is actually more satisfying. I'd much rather be the person responsible for finding security weaknesses and assessing risk than the person responsible for getting high quality systems built under tight deadlines.
When you present your security assessment findings to the developers/engineers, there's no need to be haughty about it. Nobody's perfect and every system is going to have some bugs and weaknesses in it. Just present the risks in a matter of fact way so that the people in charge will understand and can make informed decisions on what to fix and how quickly.
Also, when you do security assessments / pen tests, why not also include a section in your report where you tell the developers what they're doing well from a security standpoint? I always do this, which helps to balance out the negative aspects of a pen test makes the developers feel good before I show them what they need to improve on.
Hasn't it been fairly well established that more intelligent people are less likely to be happy in general? Being good at IT security (and not just an appliance operator, trained to run a few tools and read the generated reports) requires a fair amount of creative thinking and intelligence. I've worked in the field in the past, and I don't think it's specifically the adversarial mindset that causes unhappiness. I actually had a lot of fun doing that stuff - at least, when my work was appreciated by those I was advising and I wasn't seen as an interloper. That depends more on people skills, both on the working level and in management.
On the other hand, for the last few years I've worked on projects that are ostensibly for the public good, ensuring safe water supplies and such, but I've been rather unhappy with it. Why? Because the company I was working for was far better at securing grants and government contracts than at building anything useful and actually putting it to use beyond carefully controlled tests and demos. I came to realize that nothing I ever did there would ever really matter.
Since then I've been self-employed, doing ten times as much work but I'm happier.
It's a thankless job.
Think about it, you have to constantly deal with user mistakes or quite often the mistakes of others and correct them. By correcting someone's mistake you are showing them their faults, not generally a good idea if you want people to be nice to you.
Therefore you end up with user aggression towards the people who provide their computer support.
And when it's the fault of faulty hardware they blame you, you can't win.
If you say you're happy, then why question that?
All I know is that when I worked with mainframes there was no such job classification as "security professional" unless you count the people in charge of guarding the building.
When one mainframe needed to communicate with another we did so over leased lines, and the notion of receiving an executable from another mainframe and running it automatically I don't think would have ever occurred to anyone.
While you might conclude that having a powerful computer on everyone's desktop makes the security exposures we have today inevitable, I don't think it necessarily follows from that that enterprise computing should be as vulnerable as it has gotten. Obviously the "PC revolution" has not resulted in economies of scale, quite the opposite. How many orders of magnitude has growth in enterprise IT gone through? I guarantee you right here an Slashdot there are people who see no problem in downloading large chunks of sensitive data to a machine (even a laptop) outside the data center, for either temporary fiddling, local cache, or whatever and then (if the machine hasn't gotten lost or broken) uploading it to the corporate database overlaying intermediate transactions.
I talk to people working in these environments quite frequently who just don't have a clue. Someone in your job has to not only constantly try and stay a jump ahead of crackers (not hackers!) but also fight with people who are supposed to be on your side about how rules you impose keep them from getting their job done (or so they think). Our profession has been considerably dumbed down in my opinion by the advent of desktop computing. There is no solution in sight. That's why I would find a job like yours unappealing.
Sometimes the 'security mindest' gets silly. I often find our security team thinks they're being paranoid for the good of the company when the truth is they're being a roadblock for the sake of being a roadblock. Or more frightening, to cover up their ignorance or to short-cut understanding the application they're trying to secure.
In this regard, they likely are miserable people but frankly, you should have people in your security department that are jazzed about IT and security. Not someone who flipped a quarter between CPA and IT professional.
I'd love to see your security documentation.
"i am a it security professional w/10 yrs exp and i recommend bgr passwds."
I'm guessing you're either full of shit, or have the worst security documentation EVER because you can't use capital letters and you can't write decent English.
Security is more than downloading and installing anti-virus software, you know.
- It's not the Macs I hate. It's Digg users. -
I don't know. In many ways, "security" is never anything more than putting up deterrents to crime. The more of them you implement, the more you create inconveniences for YOURSELF, in the process. It never really ensures the PREVENTION of a crime.
In "traditional" security scenarios, I think people have found a balance they're content with in most cases. (EG. If I want to secure my house against a break-in, I can stick with the "staple items" we universally employ, such as door and window locks. We've pretty much all established that having to find the proper key for one's door to get inside is a minor hassle, vs. the level of crime deterrence it provides. Optionally, people wanting more can buy an alarm system. Much more hassle, expense and inconvenience, but an added layer of protection everyone understands and can opt for or against with a good sense of the pros and cons.)
"Computer security" is largely considered "of little real value" by the public because they (usually CORRECTLY) come to the conclusion that it creates too many impediments to being productive with the computer tools given. I.T. security nazis that demand those "tough to guess" passwords that have to be changed regularly only cause people to have too much trouble signing THEMSELVES in. So to work around this? They start writing the passwords down on things they can easily look at. Problem solved, but security measure largely bypassed.
By the same token, your business can spend thousands and thousands on firewalls and other "network appliances" that all promise to improve security from hackers and outside threats. But one employee can circumvent it ALL with a $50 wireless access point concealed someplace in a drop ceiling, and letting his buddies know they can now get on the LAN from a portable sitting in the parking lot.
I think many people in charge of spending (whether management or other I.T. workers) are realizing that the basics like merely having SOME kind of password required to log in, a basic NAT firewall in place, some anti-virus/spyware package on the workstations, and maybe a spam filtering service on their email is ALL they realistically need. MOST companies just don't have that much on their network that outside hackers even care to access. The most "sensitive" information is usually just of interest to EMPLOYEES of the company (like salary histories of different people?). So let the one dept. that has to handle that data (H.R.) put extra security measures on it, and keep them from inconveniencing everybody else.....
good IT security is not about following anybody's agenda but about securing the property. It's like being the night watchman responsible to lock the doors, close the windows, and be on look out for strangers. IT security is not "policing", nor should it be. In my company our guys work hard to keep their jobs non-political. They'll provide facts but not run around snooping on people for the boss. There's a big difference in the two.
that's why many IT departments block as much crap as possible, because THEY don't want to be that in that kind of investigation, so they cut off outside email, IM, myspace, etc so people can't make those mistakes with THEIR toys. Sure people will try, but then you have policies in place long before their actions become "illegal" and police get involved.
A few points:
I'd so strangle you to death in the elevator on a typical Monday morning. IT, specifically security, is both a means to buy alcohol and a reason to consume it.
Gone are the days when the ox fall down,
Take up the yoke and plow the fiends around.
Gone are the days when the ladies said' "Please,
Gentle Jack Jones won't you come to me."
The days of getting to go to work and actually do something constructive, creative, and innovative are mostly over in the current environment. Fix this, patch that, comment this, find same old buffer issues, copy what the other company did, file this, give same report you gave three weeks ago to the same people, and worse...
Brown-eyed women and red grenadine,
The bottle was dusty but the liquor was clean.
Sound of the thunder with the rain pourin' down,
And it looks like the old man's gettin' on.
My advice, such as it is, is to leave work at work and home at home. If you can work on not having the security mindset at home and hope for some sort of outlet than great but that's not the case for most of us.
Man... I used to hate people who loved their job. These days I do what I love. ;)
"So long and thanks for all the fish."
Okay, a few things here:
1> Your happiness in general shouldn't be based on your job. Sometimes people take shitty jobs because they need to pay the bills. You think people like cleaning toilets or hauling garbage? Some might, but I suspect most don't really care for it. And yet, I know a lot of people who have shitty jobs but very happy lives. They just learn not to let their job get them down and they learn to make the most of their time outside their job.
2> That said, if you have the option, you should get a job that brings you pleasure, 'cause it's worth more than money. After all, you're probably spending most of your waking hours doing your job.
My general impression in IT (not necessarily security), is that the people who do it because they truly enjoy IT, are the ones who are going to be happiest in their jobs. On the other hand, people who go into it only for the money, tend to be the most miserable, unhappy people in IT. It's not just that they may not like it to begin with. They probably liked aspects when they got into it. But working in IT can be more trying than other jobs if you're not into it.
Most jobs (and not all, obviously), don't require you to constantly stay on top of a very quickly evolving subject matter. Let's face it, once you know accounting for example, you're done. It's not like it's a fast paced field with lots of changing ideas and innovation. The same can be said for most other fields. Obviously most technology related fields are this way. Medicine as well, but largely due to advances in technology and its effect on biology and biochemistry research.
To be good in tech, you have to stay on top of things and a lot of times, you have to do that outside your job as well as in your job. If you don't love it, or at least like it quite a bit, trying to keep pace with it can be incredibly frustrating.
Anyway, just my $0.02
As the saying goes: "Damned if you do, damned if you don't."
If you don't point out the mistakes, then you're the one who gets blamed when there is (inevitably) a security breach.
If you do point out the mistakes, you've irritated and embarrassed the user -- and, possibly, forced them into doing something they don't want to.
Which means, assuming you never make a mistake, the only kind of feedback you'll ever get is negative -- that you were annoying, or that you failed -- never positive. (Compare this to, at the very least, a sysadmin -- bring up a new service, and you get to be a hero, at least for awhile. But nobody ever sees an attack that failed.)
Don't thank God, thank a doctor!
I've worked in infosec for nearly a decade and it certainly takes a toll. The most stressfull situations, by far, are internal investigations and legal proceedings. Unfortunately, I believe the inevitability of these situations are just a byproduct of human nature -- the fact that computers were used is many times incidental. I've seen eye-opening security situations over the years, even some from individuals that I never would have guessed possible. Despite the incredible stress these situations can present, having the support of senior management, legal counsel, family, friends, and good beer has helped tremendously in my long-term attitude.
You mentioned you're a consultant. Have you considered taking a role to stay with an organization on a more permanent basis? It has been very rewarding for me to look back through my strategic accomplishments over the years. Despite the ever-increasing, disproportionate workload in security I can clearly show progress and in the end that helps give me perspective.
That's true, I can think of dozens of jobs that are more depressing than IT Security. Hospice workers, representing the defense in wrongful death lawsuits, and combat soldiers, to name a few. At worst, an IT security auditor has to recommend software and hardware changes to protect a company from financial loss. Consider yourself lucky if that's the only burden your job imposes on your conscience.
No, it's more like being strip-searched by a clown.
... and then they built the supercollider.
I've been in Information Security for the last ten years (Analyst, Architect, Manager, Sr. Manager) and have a CISSP and CISM. I began work in this field immediately out of college. I've been to more Blackhat, Defcon, FIRST, ISACA and SANS conferences than I can count (off the top of my head).
I kind of get what you've written above, and I think you allude to the solution. In the end, Information Security is about Risk Management. Yes, someone could use a needle and inject something into your mustard (I've had that same thought about ketchup; I hate mustard :) ), but the likelihood is so low that there are far more useful things to worry about.
The same with flying on a plane: yep, it could fall like a rock from 34,000 feet. However, the percentage of flights that actually do that is ridiculously low. It's not something to worry about. And I write that having been on a 737 where one of the engines exploded into flame mid-flight. The pilot put the fire out and we landed on the remaining engine; no harm, no foul. I figure my chances are better for that not happening again.
Most IT risks are exactly like that. You have to identify what threats exist and the likelihood that those threats will be realized. Then you implement measures to reduce the most egregious threats to acceptable levels.
Information Security is about managing - not eliminating - risk. In my opinion, thinking about these things has made me smarter (and not more miserable) in my day-to-day decisions. It's not something to get worked up about. These are just facts to consider in dealing with the bigger picture.
Wouldn't cops and military personnel also be extremely unhappy as well, based on this?
/., so that's highly debatable.
What makes you think they're not? First responders see some of the worst that human nature is capable of. Same goes for Military personnel, especially those on the front lines. The 'security mindset' changes a person, even if it goes unnoticed. First responders who have children are likely to be over-protective because of their experiences and may be more suspicious of their kids activities. For example, a law enforcement officer who's worked the streets long enough would find it hard to fall for most excuses that a kid may come up with for being late.
Wouldn't people who work in demolitions, tearing down buildings, be very unhappy?
Not necessarily. From what I've seen, demolition crews strive to perfect the art, which keeps them going. I don't believe they would be unhappy as new buildings rise in its place.
Wouldn't this mean that anyone working in a job that had a potential negative impact on others, also be very unhappy? I mean with gas prices what they are, isn't the guy working at the gas station feeling miserable, because people hate paying as much as they are for gas, and he is the front-line representative seeing these reactions?
Quite the opposite. Given the state of the economy, which is a pretty tough for most these days regardless of what the media says, he's happy to have a job. If he has any kind of people skills, which is debatable at most gas stations, he'd make people understand that he's just a pawn in the grand scheme of things. Then again, he might be happy to have a job, but not happy with his station in life; pun intended.
Regardless of people's opinion on this, perhaps we can all agree that "dedication to duty has a price"? [borrowed from a movie quote] Then again, then is
If you don't enjoy what you do. If you aren't enjoying the chase and the finding of security holes. If it makes you crazy or think it might make you crazy. If your professional "paranoia" is causing you emotional/mental issues... then you are in the wrong line of work. The best IT security professionals enjoy all of that, so it does not cause them problems outside of work.
That can really be applied to any line of work. Any job that causes those sorts of things makes you "less" happy than others in a line of work they enjoy.
I find there are generally two types of IT person whether they are 'security' IT people or otherwise. There are those who think of the users as 'the enemy' and those who see the users as their reason for being employed. Obviously, I consider myself to be a member of the second set... the former set doesn't fully acknowledge the second set except that the second set "only serve to keep the problem going."
Long ago, just after the dot-com bubble burst, I began to realize what everyone else forgot during the dot-com boom. The boom occurred because people thought "IT" was some sort of magic bullet that just made money by virtue of its simply being there. Ridiculous amounts of money were spent on IT development and manpower. Anyone and everyone who was tired of their previous job, changed over to become "an IT professional" and expected enormous wages... some even got it. (There's still a lot of dot-com boomers in the biz... some deservedly so, and others have no clue or talent at all... we all know one or two don't we? You know, the 'cert chasers' and 'job hoppers' with enormous resumes who couldn't manage to set up a server for which he has a certification if his life depended on it?)
That thing I realized was that "IT" is just a support function for business. Sometimes "IT" is the production side of business, but generally speaking, whether directly or indirectly, IT is a utility function like electric and plumbing. While there are supposed to be higher skills and ability involved in the execution of IT functions, this isn't always the case. Upper management sees IT in this way as well because all of their executive clubs, newsletters and conventions tell them so. This is why they think they can outsource a lot of IT without hurting the company and generally lower the wages of the same group of people they classify as exempt from overtime pay.
But the realization that IT is an operating expense on business showed me that just being a great IT guy isn't enough -- I have to have the interests of the business at heart as well. And you can't have the interests of the business at heart when you hate your users and what you do. I do hate spam and spammers with no known limits, and crackers polluting the internet drive me a little crazy, but in the end, I recognize the range and limitations of my role in defending against those ass-clowns and focus on my users and mitigating the damage that can be done and balancing any methods I might employ against the needs of my users.
Another thing I have realized is that the same people who hate their users, probably hate their children as well... if they have any. If doing their job seems to have a negative influence on their personality, I think it's more likely that doing their job merely brings out existing negative tendencies. My point is that they probably already had personality issues to begin with and would likely respond to 'negative' stimulus in the same way whether it's IT or not. Doctors can bitch you out for eating too much. Dentists can bitch you out for not brushing regularly. Mechanics can bitch you out for not changing your oil regularly. And cops might beat you senseless for running a red light. We don't expect or desire these behaviors from people we consider "professional." If you're an IT person and you feel that your users are 'the enemy' then it's time to look at your professional attitude.
You lock them out so they are not calling every hour.
But that's exactly the problem that it causes. Users are constantly calling the helpdesk because they don't have any control over their systems. They need to get something done, but then they need to wait 2 days for IT to respond to the call, because IT are so backed up with trivial requests.
Treating the user like an idiot who needs to be protected from him/herself is not the solution. Better to educate people and teach them responsible computing. Hell, if workers don't know not to install malware and randomly downloaded stuff, then what business do they have being employed in a job that uses a computer? Get rid of the idiots, instead of turning people into idiots by not allowing them to learn, or bothering to teach them.
... and then they built the supercollider.
Oh, and if Windows is so fucked-up that workers can't be trusted to install things, then what the hell is the IT department doing installing Windows machines in the first place?
... and then they built the supercollider.
Is he really happy?
He says that's what keeps him sane.
Maybe he really means it.
If you delay pleasure infinitely, the pleasure will be infinite. (YM)
Like many other posters from the "other side of the desk" who've had crappy experiences / perception of corporate infosec, you've got some pretty profound misapprehensions about what real infosec is all about. Security that gets in the way of people doing their jobs IS bad security, as a general rule, because as you observe they will route around it - and then you have a false sense of security, because now you don't know what insecure practices are going on, because the users are actively trying to conceal them from you. This is a Bad Thing. Seriously, I spend a lot of my time giving masses of positive reinforcement to people who do the right thing (like dropping me a mail saying "uh, it's probably nothing, but we're coding up this system which includes a secret admin backdoor, is that OK with you guys?" , and likewise making sure that users know to flag it up and complain, LOUDLY, if security does get in their way. When I get to hear about such issues I put of a lot of effort into addressing concerns in a fair way, explaining the risks that eg. rotating strong passwords is designed to protect against, providing tips and hints about how to generate memorable passwords (first letters of a line of a favourite song is one of my favourites), why it's actually OK to write them down on a slip of paper kept in your wallet and so on. I also try to make sure these efforts are highly visible - not because it's a security contest, but precisely because I want to reduce to the inevitable "look out, here come those goose-stepping bastards from security again" attitude to the absolute minimum possible. That's also why I try to take the time to chat to real end-users rather than just listening to what managers tell me their people are doing.
one employee can circumvent it ALL with a $50 wireless access point concealed someplace in a drop ceiling,
That's what 802.1x is for, and why you spent all that time arguing about the wording of your AUP, and making sure that no-one can claim that they didn't know that installing a network backdoor was grounds for instant dismissal (eg. with regular mandatory refresher training, all@... emails and the like.
I think many people in charge of spending (whether management or other I.T. workers) are realizing that the basics like merely having SOME kind of password required to log in, a basic NAT firewall in place, some anti-virus/spyware package on the workstations, and maybe a spam filtering service on their email is ALL they realistically need
Actually, the "right" level of security is as long as a piece of string. What are your assets? What are the risks to them? What (to some arm-waving approximation) is the chance of something bad actually happening? Now compare the costs and benefits. Lo, there is no "one size fits all" solution. For instance my home WLAN is configured with a really crappy WEP encryption doobry, broadcasts it's SSID, etc. However only my Dad uses that connection, and the only plaintext stuff going over it is low-value general mail and web usage; on to of that we're miles out in the countryside, we know the families within wifi range personally and none of 'em have computers anyway... and I couldn't make his cheapo wifi dongle work with WPA2. Given that cat 5's impractical without cutting holes in doors (or drilling thru' 18" thick masonry walls and fitting proper conduit.) Oh and I don't run any a/v or firewall on my work machine; I use a hardened BSD and have no network services running apart from ssh on a high port. See what I mean?
Everything I needed to know about life, I learnt from Blake's Seven
Some suggestions/points:
a) people don't take criticism (even constructive) too well. The way to soften the blow is to offer suggestions or point to them the things they did well.
b) realize that your job is not everything that you are. It is (unfortunately) a part of yourself and it does somewhat define your identity, but that doesn't mean it should control you. Try to set some boundaries between your job. E.g. I have personally not to do anything work-related on weekends any more. That was was a big deal for me since I have spent on weekends experimenting. I now do all do I need during business hours, but the disadvantage is that I haven't progressed as quickly as I used to. The great thing is that I really feel re-charged on Mondays.
c) Seek solace in the relationships outside of work. If you don't have those then I strongly suggest you find them: join some outdoor club, play in a team, date on a regular basis, etc
d) get support from your manager. He/she needs to be aware of what the challenges are and they need to sometimes run interference for you. Unfortunately you won't get him/her to do it without empowering them by leaving them to make key decisions (which may or may not fall in line with your plans)
e) remain a human being with your own mind; the fact that you are aware of your condition and fears makes you in that regard a lot more advanced than most people I know. Introspection is good.
Best of luck and stay in the field if you enjoy it.
That same mindset isn't always good for dealing with other aspects of life. Who wants to always be focused on solving problems in their relationships for example? In my case I had to realize the inclination to always find the "negative" aspect of a situation. Once I became able to realize it, I developed the ability to set aside my initial perception and focus on more positive ways of dealng with situations. For example instead of focusing on what is wrong, I appreciate what is working correctly. By identifying the positive aspects of any particular situation or system I'm better able to bring individuals and departments together. People respond a lot better to a presentation that effectively says, "These systems were implemented to do X, Y and Z. They've been doing them well enough. Lets consider how adjusting A and B will make them even more effective." A few years ago, my presentation would have been more along the lines of, "X, Y and Z are completely cluster fucked. The developers fucked up A and B, and didn't even bother to think of doing C. Now, lets fix this broken pile of shit."
I agree that it helps to find happiness outside of work. In my case it is martial arts that I find real enjoyment from these days. Working in IT is a pretty unappreciated and invisible job in the grand scheme of things. A few months ago we had a yearly meeting where the entire organization (only about 200 people) came together in the auditorium. The director and some of the other big wigs got up and proceeded to give various departments kudos for doing different things for the organization. IT didn't get any recognition and I realized we never will. People don't care that they pick up the phone and get a dial tone. They don't care that they have an email/messaging/calendaring system that helps them communicate, makes sure that they get to their meetings and are able to keep everything organized. Most people simply don't realize that there is a lot of effort that goes into providing them with the tools that they take for granted. How does the head of finance know that they made budget? They trust the accounting system. How does the director of development know who to contact for donations? They use their contact lists, email application and the phone systems. How do they know if they made their numbers? They check the fund raising system.