Are IT Security Professionals Less Happy?

zentanu writes "It's said that if you want to be happy, be a gardener. What about IT security professionals? Having worked as an IT security consultant for several years, I now wonder if my job has a negative influence on my happiness, because it constantly teaches me to focus on the negative side of life: I always have to think about risks and identify all sorts of things that could go wrong. As an auditor I search for errors that others have made and haughtily tell them. As a penetration tester I break systems that system engineers and administrators have laboriously built. I assume inside threats and have to be professionally suspicious. The security mindset surely helps me in my job, but is it good for me on the long run? What kind of influence has being an IT security professional had on your general attitude towards life? What helps you stay out of pessimism and cynicism? Is protecting existing things really as good as building new ones?"

I thought system admins were gardeners

[davidwr]

Why do you think they call them server farms?

Seriously, being a system admin is like being a commercial-grade landscaper or farmer.

If a system admin has a good job, he'll have the authority to decide what to plant/what equipment to install, what to feed it and how often to water it/what scheduled hardware and software maintenance is necessary, etc.

He will also tend the garden/maintain the system and reap and share the rewards for his efforts/get paid and have happy customers or bosses.

Oy vay

[PingXao]

Come on. Get over yourself. Cops, laywers, doctors, nurses, paramedics, military people... these walks of life deal with human misery, pain and suffering every day. If you're so worried about offending your sunny disposition maybe you should join a convent.

Listen, in any field if you can't take enjoyment out of what you're doing then (a) you should change your profession, or (b) realize if you can't do (a) you're in the same boat with about 80% of the rest of the population.

As a member of the IT world, security-related or otherwise, you have intellectual challenges and brain-teasers to deal with on a constant basis. Testing your knowledge and skill, forcing you to re-evaluate whether you're as good as you think you are every step of the way. And yet, even in such a position you're bound to go through times when you find yourself working for some real asshole(s). They're no fun, either, but you have to keep plugging away.

Either that or apply for a job at the factory where they make those "Have A Nice Day!" bumper stickers. Oh wait ... that's in China. Never mind.

Re:Oy vay

[Nezer]

Come on. Get over yourself. Cops, laywers, doctors, nurses, paramedics, military people... these walks of life deal with human misery, pain and suffering every day.

Are you saying that because other people can do it then the he/she should too? If so I can't help but ask who are you to tell someone what they can and cannot do? This is known as "minimization" and can be a very ineffective, not to mention damaging, way to communicate with someone.

If you're so worried about offending your sunny disposition maybe you should join a convent.

Can you sense the hostility?

Listen, in any field if you can't take enjoyment out of what you're doing then (a) you should change your profession, or (b) realize if you can't do (a) you're in the same boat with about 80% of the rest of the population.

That 80% of the population you claim has the same capability to make choices about their life that the other 20% do. People choose what they do for their own reasons, not for yours or mine.

but you have to keep plugging away.

*YOU* might have to keep plugging away but the OP doesn't. That's for him/her to decide. Besides that, 80% of statistics are made up 20% of the time.

You make some good points but I sense a lot of underlying hostility in your comments that, if I saw in myself (and, believe me I have) would eventually force me to take an inventory about where I am in life.

The OP asked a very good question and you have seemingly interpreted it as him griping about his job. Maybe that is the subtext that spawned the question but it is not how the question is presented.

Re:Short Answer

[dsginter]

Real Question: WHY?

In "traditional" security, people can ascertain the threats on their own - so they are happy to allow the "security" department to interrupt their life (e.g. - using keys to open locks).

In IT security, people just want to download cool screen savers. Most simply don't see the risk. As such, the job of an IT security professional is much more difficult (e.g. - "why can't my password just be the name of my dog?").

So, most people who work in IT security are made out to be Mordac - "Preventer of information services".

Less Happy? How About More Happy!

I used to be a software developer for many years and am not in IT security. For me, IT security is actually more satisfying. I'd much rather be the person responsible for finding security weaknesses and assessing risk than the person responsible for getting high quality systems built under tight deadlines.

When you present your security assessment findings to the developers/engineers, there's no need to be haughty about it. Nobody's perfect and every system is going to have some bugs and weaknesses in it. Just present the risks in a matter of fact way so that the people in charge will understand and can make informed decisions on what to fix and how quickly.

Also, when you do security assessments / pen tests, why not also include a section in your report where you tell the developers what they're doing well from a security standpoint? I always do this, which helps to balance out the negative aspects of a pen test makes the developers feel good before I show them what they need to improve on.

Correlation vs Causation

[Rorschach1]

Hasn't it been fairly well established that more intelligent people are less likely to be happy in general? Being good at IT security (and not just an appliance operator, trained to run a few tools and read the generated reports) requires a fair amount of creative thinking and intelligence. I've worked in the field in the past, and I don't think it's specifically the adversarial mindset that causes unhappiness. I actually had a lot of fun doing that stuff - at least, when my work was appreciated by those I was advising and I wasn't seen as an interloper. That depends more on people skills, both on the working level and in management.

On the other hand, for the last few years I've worked on projects that are ostensibly for the public good, ensuring safe water supplies and such, but I've been rather unhappy with it. Why? Because the company I was working for was far better at securing grants and government contracts than at building anything useful and actually putting it to use beyond carefully controlled tests and demos. I came to realize that nothing I ever did there would ever really matter.

Since then I've been self-employed, doing ten times as much work but I'm happier.

If it floats your boat

[cmacb]

If you say you're happy, then why question that?

All I know is that when I worked with mainframes there was no such job classification as "security professional" unless you count the people in charge of guarding the building.

When one mainframe needed to communicate with another we did so over leased lines, and the notion of receiving an executable from another mainframe and running it automatically I don't think would have ever occurred to anyone.

While you might conclude that having a powerful computer on everyone's desktop makes the security exposures we have today inevitable, I don't think it necessarily follows from that that enterprise computing should be as vulnerable as it has gotten. Obviously the "PC revolution" has not resulted in economies of scale, quite the opposite. How many orders of magnitude has growth in enterprise IT gone through? I guarantee you right here an Slashdot there are people who see no problem in downloading large chunks of sensitive data to a machine (even a laptop) outside the data center, for either temporary fiddling, local cache, or whatever and then (if the machine hasn't gotten lost or broken) uploading it to the corporate database overlaying intermediate transactions.

I talk to people working in these environments quite frequently who just don't have a clue. Someone in your job has to not only constantly try and stay a jump ahead of crackers (not hackers!) but also fight with people who are supposed to be on your side about how rules you impose keep them from getting their job done (or so they think). Our profession has been considerably dumbed down in my opinion by the advent of desktop computing. There is no solution in sight. That's why I would find a job like yours unappealing.

re: "traditional security" vs. I.T. security

[King_TJ]

I don't know. In many ways, "security" is never anything more than putting up deterrents to crime. The more of them you implement, the more you create inconveniences for YOURSELF, in the process. It never really ensures the PREVENTION of a crime.

In "traditional" security scenarios, I think people have found a balance they're content with in most cases. (EG. If I want to secure my house against a break-in, I can stick with the "staple items" we universally employ, such as door and window locks. We've pretty much all established that having to find the proper key for one's door to get inside is a minor hassle, vs. the level of crime deterrence it provides. Optionally, people wanting more can buy an alarm system. Much more hassle, expense and inconvenience, but an added layer of protection everyone understands and can opt for or against with a good sense of the pros and cons.)

"Computer security" is largely considered "of little real value" by the public because they (usually CORRECTLY) come to the conclusion that it creates too many impediments to being productive with the computer tools given. I.T. security nazis that demand those "tough to guess" passwords that have to be changed regularly only cause people to have too much trouble signing THEMSELVES in. So to work around this? They start writing the passwords down on things they can easily look at. Problem solved, but security measure largely bypassed.

By the same token, your business can spend thousands and thousands on firewalls and other "network appliances" that all promise to improve security from hackers and outside threats. But one employee can circumvent it ALL with a $50 wireless access point concealed someplace in a drop ceiling, and letting his buddies know they can now get on the LAN from a portable sitting in the parking lot.

I think many people in charge of spending (whether management or other I.T. workers) are realizing that the basics like merely having SOME kind of password required to log in, a basic NAT firewall in place, some anti-virus/spyware package on the workstations, and maybe a spam filtering service on their email is ALL they realistically need. MOST companies just don't have that much on their network that outside hackers even care to access. The most "sensitive" information is usually just of interest to EMPLOYEES of the company (like salary histories of different people?). So let the one dept. that has to handle that data (H.R.) put extra security measures on it, and keep them from inconveniencing everybody else.....

Re:Short Answer

[Jah-Wren+Ryel]

So, most people who work in IT security are made out to be Mordac - "Preventer of information services".

I do a fair amount of "security engineering" - designing and implementing secure systems. What I have found is that in most cases the reason people (users) see the security people as "preventer of information services" is because the security people don't give a shit about actually using the systems, only about securing them.

I've come to believe that to be a really good security engineer requires loads of human-factors type expertise because the problem is not just how to secure the system, but really how to enable the users to do their work as easily as possible in a secure fashion.

The classic example is the password policy that is so byzantine that nobody can remember their own passwords - sure it is secure on paper, but because nobody took into account that actual people have to use it, the net result is that people 'cheat' and write down their passwords or come up with password creation schemes that produce easily human-guessable passwords if you know any of the previous passwords (!ReD_111, @BluE_222, #GreeN_333, etc).