Are IT Security Professionals Less Happy?

zentanu writes "It's said that if you want to be happy, be a gardener. What about IT security professionals? Having worked as an IT security consultant for several years, I now wonder if my job has a negative influence on my happiness, because it constantly teaches me to focus on the negative side of life: I always have to think about risks and identify all sorts of things that could go wrong. As an auditor I search for errors that others have made and haughtily tell them. As a penetration tester I break systems that system engineers and administrators have laboriously built. I assume inside threats and have to be professionally suspicious. The security mindset surely helps me in my job, but is it good for me on the long run? What kind of influence has being an IT security professional had on your general attitude towards life? What helps you stay out of pessimism and cynicism? Is protecting existing things really as good as building new ones?"

my 2c

[thermian]

I have never *ever* used my job when considering my own self worth.

Jobs are the means to make money. Sure if you enjoy them, great, but if you don't, and you judge your self worth by them, well then you're fucked.

Its better to have other measures, other means to judge how well you are doing in life. For me its my open source coding, and my amateur science efforts, as well as being a dad. Any job I do is only, and will only ever be, the means to provide the necessitaties of life, like savings, a home, money for my kid and such.

Ok, that's important, but its not a thing upon which your self image should be based. At least that's how I feel.

I work with lots of IA people

[idiotnot]

A good number of them would be checking bags on the way out of BestBuy if they didn't know how to boot a PC.

My experience lately is that security people, generally, are:
a) not intellectually curious,
b) fearful of change,
c) often suspicious of others' motives because they, themselves, have malevolent intentions, and
d) powertrippers, because they've been given power to second-guess solutions they weren't technically-savvy enough to come up with themselves.

It's fun to discuss something like IPv6 with an IA weenie. He doesn't understand it, so it must be a threat!

BTW, I work for a large federal organization, where these people are everywhere.

I totally identify with this...

[flithm]

The security mindset can definitely do long term harm, in my opinion, assuming you're not careful that is. In order to be really good at it you need to be thinking about new potential exploits all the time, and it's really easy to let that rub off in your ordinary life.

I started seeing trivial security holes everywhere... everything from what's wrong with security labels, and tabs, on food products, and "tamper-proof" pharmacy jars to flaws in ATM vestibule security... you name it.

Honestly I kind of started developing mini-phobias or something about things like, take the security labels on food items. Let's look at a plastic mustard dispenser. Underneath the screw on top it comes with a little tab that you rip off, and somehow this keeps it safe from tampering during the period between when the manufacturer creates the product and when you purchase it.

It's absolute nonsense, and does NOTHING to stop anyone from doing anything to the contents of the mustard dispenser. Should someone want to insert a harmful substance into the bottle it could still be done with a very thin needle. It's really there just to appease the masses into thinking the product is somehow made "safe" by the introduction of that little security tab.

So I think about that, then I start to think... oh man, even my mustard's not safe, what if someone did something to it!?!?

It's ridiculous, and completely irrational. I don't think in the history of the modern food distribution system has anything ever happened to anyone's mustard. We all hear horror stories about Halloween candy, and over the counter medicine but I think in large part that stuff is all urban legend.

I think absolutely, yes the security mindset can cause mental health problems, in minor ways for some, and for others who are more prone to thinking negative thoughts perhaps in major ways.

The key, I think, with the security profession is that in order to stay on top of the game you need to always be thinking about how the next attack could arrive. Criminals are creative, and so must be the security people as well. In training your mind to think this way I can see how people would find it easy to become unhappy in other areas of life too.

I no longer do security work, but it's not because of finding it difficult to keep that work / life balance alive (I just got another better opportunity in a different sector). Still to this day I have some lingering security thoughts about things, but all I can do is try to think logically about them.

Just because something is insecure that doesn't mean it's worth worrying about. There's a big incentive for criminals to find any way possible to gain access to a sensitive or desirable computer system, but there's very little gain in tampering with a bottle of mustard ;).

As you stated in your question, it sounds more like you're starting to see the pessemistic side of things everywhere. Everyone's a potential threat. I think no matter what it is it's a similar expression of the same issue: security people get paid to do nothing but worry.

It's not a totally correct analogy, but I think it serves well enough. Now that I'm out of the security business I am pretty thankful. I never realized how much of a burden it was until it was gone. The less time I spend thinking about potential security holes the better I feel in general :). I think it's safe to say security pro just isn't the job for me... perhaps others are made for it.

Seriously though I don't know how people do it. How DO you do that job and not immediately size up threats? How do you not instantly look for the gaping security hole in the access panel on the ATM you're using? How do police men not become jaded and see the potential crime in every situation?

I think some people don't... they do become jaded. But others, the ones who stay happy, they just fight through it. I honestly think it's a choice. You are in control of your mind, and you choose what you le

Re:Short Answer

[ChadAmberg]

OK, so you can either be a security dick and "haughtily" tell people of their errors, etc, or you can actually help the sysadmins. And I don't mean help by slapping your polished report on the managers desk and think you're helping by listing all the things they've done wrong.
No, get down in the trenches. Build a relationship with the engineers and sysadmins, so that you work together. They'll start coming to you before they make mistakes asking you to help them double check their work. I worked at one shop where the security team was just like this. We'd work with them on what we did, and prevented tons of mistakes before there was ever an issue and things moved to production.
Then you have the security team I work with now, who we simply call "Team No." They're pretty useless, everyone hates ever having to deal with them. They're the type that when you ask for help designing a secure system will respond its not their job. When you question them they'll haughtily respond "I know what I'm doing, I'm a CISSP!!!" Big freakin' deal, I respond, so am I. But the net result is without cooperation, they'll never truly be able to secure our systems.

Please be the kind of security guy that is a help not a hindrance. And then I'm sure you'll start going home at the end of the day feeling much better about yourself.

Re:Short Answer

[Albert+Sandberg]

I'm not sure, but back in the days when I worked as a programmer making a poker game (before the craze broke out about online gaming) I was constantly feeling numb about the whole programming deal spending some of my days just surfing around feeling kinda worthless to the company and that in turn made me feel kinda worthless too in the long run.

About 7 years ago I started working in craft, with tile laying (bathrooms etc), and I never had a bad day. Sure some days are tough but when the day is done I always feel like I made a difference, and I'm not mentally exhausted when I get home, so I could for instance do some programming for fun or whatever.

It's not true for everyone of course, I know plenty of people that can handle it, but for me it seems like the more work I get done the better I feel. And with my job I can make other people happy, that kinda helps. With IT you are just making people less miserable.

Late night rand, gotta sleep :-) (.se)

Re:I'd reply but I'm worried someone will be watch

[TENTH+SHOW+JAM]

Security nut for local network speaking. Since Security is the antithesis of Usability, you are not popular for doing your job. If you introduce a new security regime that makes things "hard" for people to do their jobs you are seen as a roadblock in the road of progress. If your security regime is not tight enough you are blamed for data leaks.

With this in mind, you need to derive your happiness from other places than peoples praise. I'd say the GPs post example is of a person who has learned to derive happiness from both family life and playing in a band.

I know I get happiness not from doing the security work, but from other sources that are funded by the security work. I can definitely corroborate the correlation with more anecdotal evidence of my own experience.

Now I must get back to writing more policy.