Slashdot Mirror
Are IT Security Professionals Less Happy?
zentanu writes "It's said that if you want to be happy, be a gardener. What about IT security professionals?
Having worked as an IT security consultant for several years, I now wonder if my job has a negative influence on my happiness, because it constantly teaches me to focus on the negative side of life: I always have to think about risks and identify all sorts of things that could go wrong.
As an auditor I search for errors that others have made and haughtily tell them. As a penetration tester I break systems that system engineers and administrators have laboriously built. I assume inside threats and have to be professionally suspicious. The security mindset surely helps me in my job, but is it good for me on the long run? What kind of influence has being an IT security professional had on your general attitude towards life? What helps you stay out of pessimism and cynicism? Is protecting existing things really as good as building new ones?"
I'm an IT consultant with over 30 years experience since I graduated. There are good times and bad times.
The good times for me were in the mid 1990's when I worked in the old Soviet Block. There, I could see the work I was doing making a difference.
The bad times were when the company I worked for got taken over and the whole job changed. Suddenly we were supposed to apply production line metrics to consulting assignments.
Luckily I got out and started on my own.
However in your job, it does weem that you are predominantly occupied looking at the down side of IT. Keeping those pesky hackers at bay is not a job I'd want to do.
I'm a fairly creative person. So I have concentrated in spending more time doing things outside of IT.
I've just signed a deal to get my first novel published. Not a huge amount of money. But I can concentrate on the positive for at least part of the day.
Perhaps you do really need to take a long hard look at your work life balance.
I'd rather be riding my '63 Triumph T120.
Why do you think they call them server farms?
Seriously, being a system admin is like being a commercial-grade landscaper or farmer.
If a system admin has a good job, he'll have the authority to decide what to plant/what equipment to install, what to feed it and how often to water it/what scheduled hardware and software maintenance is necessary, etc.
He will also tend the garden/maintain the system and reap and share the rewards for his efforts/get paid and have happy customers or bosses.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
Come on. Get over yourself. Cops, laywers, doctors, nurses, paramedics, military people... these walks of life deal with human misery, pain and suffering every day. If you're so worried about offending your sunny disposition maybe you should join a convent.
Listen, in any field if you can't take enjoyment out of what you're doing then (a) you should change your profession, or (b) realize if you can't do (a) you're in the same boat with about 80% of the rest of the population.
As a member of the IT world, security-related or otherwise, you have intellectual challenges and brain-teasers to deal with on a constant basis. Testing your knowledge and skill, forcing you to re-evaluate whether you're as good as you think you are every step of the way. And yet, even in such a position you're bound to go through times when you find yourself working for some real asshole(s). They're no fun, either, but you have to keep plugging away.
Either that or apply for a job at the factory where they make those "Have A Nice Day!" bumper stickers. Oh wait ... that's in China. Never mind.
Real Question: WHY?
In "traditional" security, people can ascertain the threats on their own - so they are happy to allow the "security" department to interrupt their life (e.g. - using keys to open locks).
In IT security, people just want to download cool screen savers. Most simply don't see the risk. As such, the job of an IT security professional is much more difficult (e.g. - "why can't my password just be the name of my dog?").
So, most people who work in IT security are made out to be Mordac - "Preventer of information services".
More
I used to be a software developer for many years and am not in IT security. For me, IT security is actually more satisfying. I'd much rather be the person responsible for finding security weaknesses and assessing risk than the person responsible for getting high quality systems built under tight deadlines.
When you present your security assessment findings to the developers/engineers, there's no need to be haughty about it. Nobody's perfect and every system is going to have some bugs and weaknesses in it. Just present the risks in a matter of fact way so that the people in charge will understand and can make informed decisions on what to fix and how quickly.
Also, when you do security assessments / pen tests, why not also include a section in your report where you tell the developers what they're doing well from a security standpoint? I always do this, which helps to balance out the negative aspects of a pen test makes the developers feel good before I show them what they need to improve on.
Hasn't it been fairly well established that more intelligent people are less likely to be happy in general? Being good at IT security (and not just an appliance operator, trained to run a few tools and read the generated reports) requires a fair amount of creative thinking and intelligence. I've worked in the field in the past, and I don't think it's specifically the adversarial mindset that causes unhappiness. I actually had a lot of fun doing that stuff - at least, when my work was appreciated by those I was advising and I wasn't seen as an interloper. That depends more on people skills, both on the working level and in management.
On the other hand, for the last few years I've worked on projects that are ostensibly for the public good, ensuring safe water supplies and such, but I've been rather unhappy with it. Why? Because the company I was working for was far better at securing grants and government contracts than at building anything useful and actually putting it to use beyond carefully controlled tests and demos. I came to realize that nothing I ever did there would ever really matter.
Since then I've been self-employed, doing ten times as much work but I'm happier.
It's a thankless job.
Think about it, you have to constantly deal with user mistakes or quite often the mistakes of others and correct them. By correcting someone's mistake you are showing them their faults, not generally a good idea if you want people to be nice to you.
Therefore you end up with user aggression towards the people who provide their computer support.
And when it's the fault of faulty hardware they blame you, you can't win.
If you say you're happy, then why question that?
All I know is that when I worked with mainframes there was no such job classification as "security professional" unless you count the people in charge of guarding the building.
When one mainframe needed to communicate with another we did so over leased lines, and the notion of receiving an executable from another mainframe and running it automatically I don't think would have ever occurred to anyone.
While you might conclude that having a powerful computer on everyone's desktop makes the security exposures we have today inevitable, I don't think it necessarily follows from that that enterprise computing should be as vulnerable as it has gotten. Obviously the "PC revolution" has not resulted in economies of scale, quite the opposite. How many orders of magnitude has growth in enterprise IT gone through? I guarantee you right here an Slashdot there are people who see no problem in downloading large chunks of sensitive data to a machine (even a laptop) outside the data center, for either temporary fiddling, local cache, or whatever and then (if the machine hasn't gotten lost or broken) uploading it to the corporate database overlaying intermediate transactions.
I talk to people working in these environments quite frequently who just don't have a clue. Someone in your job has to not only constantly try and stay a jump ahead of crackers (not hackers!) but also fight with people who are supposed to be on your side about how rules you impose keep them from getting their job done (or so they think). Our profession has been considerably dumbed down in my opinion by the advent of desktop computing. There is no solution in sight. That's why I would find a job like yours unappealing.
Sometimes the 'security mindest' gets silly. I often find our security team thinks they're being paranoid for the good of the company when the truth is they're being a roadblock for the sake of being a roadblock. Or more frightening, to cover up their ignorance or to short-cut understanding the application they're trying to secure.
In this regard, they likely are miserable people but frankly, you should have people in your security department that are jazzed about IT and security. Not someone who flipped a quarter between CPA and IT professional.
I'd love to see your security documentation.
"i am a it security professional w/10 yrs exp and i recommend bgr passwds."
I'm guessing you're either full of shit, or have the worst security documentation EVER because you can't use capital letters and you can't write decent English.
Security is more than downloading and installing anti-virus software, you know.
- It's not the Macs I hate. It's Digg users. -
I don't know. In many ways, "security" is never anything more than putting up deterrents to crime. The more of them you implement, the more you create inconveniences for YOURSELF, in the process. It never really ensures the PREVENTION of a crime.
In "traditional" security scenarios, I think people have found a balance they're content with in most cases. (EG. If I want to secure my house against a break-in, I can stick with the "staple items" we universally employ, such as door and window locks. We've pretty much all established that having to find the proper key for one's door to get inside is a minor hassle, vs. the level of crime deterrence it provides. Optionally, people wanting more can buy an alarm system. Much more hassle, expense and inconvenience, but an added layer of protection everyone understands and can opt for or against with a good sense of the pros and cons.)
"Computer security" is largely considered "of little real value" by the public because they (usually CORRECTLY) come to the conclusion that it creates too many impediments to being productive with the computer tools given. I.T. security nazis that demand those "tough to guess" passwords that have to be changed regularly only cause people to have too much trouble signing THEMSELVES in. So to work around this? They start writing the passwords down on things they can easily look at. Problem solved, but security measure largely bypassed.
By the same token, your business can spend thousands and thousands on firewalls and other "network appliances" that all promise to improve security from hackers and outside threats. But one employee can circumvent it ALL with a $50 wireless access point concealed someplace in a drop ceiling, and letting his buddies know they can now get on the LAN from a portable sitting in the parking lot.
I think many people in charge of spending (whether management or other I.T. workers) are realizing that the basics like merely having SOME kind of password required to log in, a basic NAT firewall in place, some anti-virus/spyware package on the workstations, and maybe a spam filtering service on their email is ALL they realistically need. MOST companies just don't have that much on their network that outside hackers even care to access. The most "sensitive" information is usually just of interest to EMPLOYEES of the company (like salary histories of different people?). So let the one dept. that has to handle that data (H.R.) put extra security measures on it, and keep them from inconveniencing everybody else.....
A few points:
Okay, a few things here:
1> Your happiness in general shouldn't be based on your job. Sometimes people take shitty jobs because they need to pay the bills. You think people like cleaning toilets or hauling garbage? Some might, but I suspect most don't really care for it. And yet, I know a lot of people who have shitty jobs but very happy lives. They just learn not to let their job get them down and they learn to make the most of their time outside their job.
2> That said, if you have the option, you should get a job that brings you pleasure, 'cause it's worth more than money. After all, you're probably spending most of your waking hours doing your job.
My general impression in IT (not necessarily security), is that the people who do it because they truly enjoy IT, are the ones who are going to be happiest in their jobs. On the other hand, people who go into it only for the money, tend to be the most miserable, unhappy people in IT. It's not just that they may not like it to begin with. They probably liked aspects when they got into it. But working in IT can be more trying than other jobs if you're not into it.
Most jobs (and not all, obviously), don't require you to constantly stay on top of a very quickly evolving subject matter. Let's face it, once you know accounting for example, you're done. It's not like it's a fast paced field with lots of changing ideas and innovation. The same can be said for most other fields. Obviously most technology related fields are this way. Medicine as well, but largely due to advances in technology and its effect on biology and biochemistry research.
To be good in tech, you have to stay on top of things and a lot of times, you have to do that outside your job as well as in your job. If you don't love it, or at least like it quite a bit, trying to keep pace with it can be incredibly frustrating.
Anyway, just my $0.02
So, most people who work in IT security are made out to be Mordac - "Preventer of information services".
I do a fair amount of "security engineering" - designing and implementing secure systems. What I have found is that in most cases the reason people (users) see the security people as "preventer of information services" is because the security people don't give a shit about actually using the systems, only about securing them.
I've come to believe that to be a really good security engineer requires loads of human-factors type expertise because the problem is not just how to secure the system, but really how to enable the users to do their work as easily as possible in a secure fashion.
The classic example is the password policy that is so byzantine that nobody can remember their own passwords - sure it is secure on paper, but because nobody took into account that actual people have to use it, the net result is that people 'cheat' and write down their passwords or come up with password creation schemes that produce easily human-guessable passwords if you know any of the previous passwords (!ReD_111, @BluE_222, #GreeN_333, etc).
When information is power, privacy is freedom.
As the saying goes: "Damned if you do, damned if you don't."
If you don't point out the mistakes, then you're the one who gets blamed when there is (inevitably) a security breach.
If you do point out the mistakes, you've irritated and embarrassed the user -- and, possibly, forced them into doing something they don't want to.
Which means, assuming you never make a mistake, the only kind of feedback you'll ever get is negative -- that you were annoying, or that you failed -- never positive. (Compare this to, at the very least, a sysadmin -- bring up a new service, and you get to be a hero, at least for awhile. But nobody ever sees an attack that failed.)
Don't thank God, thank a doctor!
No, it's more like being strip-searched by a clown.
... and then they built the supercollider.
I find there are generally two types of IT person whether they are 'security' IT people or otherwise. There are those who think of the users as 'the enemy' and those who see the users as their reason for being employed. Obviously, I consider myself to be a member of the second set... the former set doesn't fully acknowledge the second set except that the second set "only serve to keep the problem going."
Long ago, just after the dot-com bubble burst, I began to realize what everyone else forgot during the dot-com boom. The boom occurred because people thought "IT" was some sort of magic bullet that just made money by virtue of its simply being there. Ridiculous amounts of money were spent on IT development and manpower. Anyone and everyone who was tired of their previous job, changed over to become "an IT professional" and expected enormous wages... some even got it. (There's still a lot of dot-com boomers in the biz... some deservedly so, and others have no clue or talent at all... we all know one or two don't we? You know, the 'cert chasers' and 'job hoppers' with enormous resumes who couldn't manage to set up a server for which he has a certification if his life depended on it?)
That thing I realized was that "IT" is just a support function for business. Sometimes "IT" is the production side of business, but generally speaking, whether directly or indirectly, IT is a utility function like electric and plumbing. While there are supposed to be higher skills and ability involved in the execution of IT functions, this isn't always the case. Upper management sees IT in this way as well because all of their executive clubs, newsletters and conventions tell them so. This is why they think they can outsource a lot of IT without hurting the company and generally lower the wages of the same group of people they classify as exempt from overtime pay.
But the realization that IT is an operating expense on business showed me that just being a great IT guy isn't enough -- I have to have the interests of the business at heart as well. And you can't have the interests of the business at heart when you hate your users and what you do. I do hate spam and spammers with no known limits, and crackers polluting the internet drive me a little crazy, but in the end, I recognize the range and limitations of my role in defending against those ass-clowns and focus on my users and mitigating the damage that can be done and balancing any methods I might employ against the needs of my users.
Another thing I have realized is that the same people who hate their users, probably hate their children as well... if they have any. If doing their job seems to have a negative influence on their personality, I think it's more likely that doing their job merely brings out existing negative tendencies. My point is that they probably already had personality issues to begin with and would likely respond to 'negative' stimulus in the same way whether it's IT or not. Doctors can bitch you out for eating too much. Dentists can bitch you out for not brushing regularly. Mechanics can bitch you out for not changing your oil regularly. And cops might beat you senseless for running a red light. We don't expect or desire these behaviors from people we consider "professional." If you're an IT person and you feel that your users are 'the enemy' then it's time to look at your professional attitude.