Show Notes: https://justinfimlaid.com/the-cavalry-is-not-coming
Contact Me: https://justinfimlaid.com/contact-me/
I hear it all the
time, security burn out is high. I wasn’t until this week that I realized that
folks got the reason for burn out completely wrong. After listening to someone tell me that a
large tech company burns out their staff due to work volume and rotates the
staff every 2 years I realized we have it twisted. I don’t know about you, but most security
folks I know love doing security and a 60 hour week hasn’t burnt anyone out
when they do what they love. If a 60
hour week does burn you out, then I'd recommend changing your work profession
as a matter of mental health. Go do
something you love to do, then no one would have to pay you to work because
you'd do for free because you love it.
As a former CISO I
can say first hand that the work never burnt me out. The environment and people are what burned me
out. What I mean by that is that having
accountability for security and no direct responsibility for security in a $6B
organization was incredibly stressful. Most security folks I know are in this
spot. They have accountability for enterprise security but the role and action
of security is distributed across the organization.
Also – there should
be some segregation of duties between IT and Security. Since security is often monitoring an
environment they often see mistakes make by peers in the company outside of
security. Those mistakes can make security challenging, but those same peers
often have little motivation to clean up those mistakes unless it directly
impacts their job. So, security having
to feel like they are in the position of digital janitor and clean up can be
exhausting. There's only so many times
you'll clean up the spilled milk before you just leave it spilled.
has become a political position, evangelizing for security, educating you work
colleagues on security all so those same company peers when faced with a
security decision will self-select the correct decision related to security
when no one is looking.
To amplify matters,
you don’t have all the budget you need or want to do your job. Nor likely do
you have all the actual authority to make that decision you want to. The threat landscape is also shifting so
tomorrow is always a new type of cyber attack.
All this is to say
that it's a tough job. Not because of
work load only, but the surrounding intangibles of working in organizations who
probably are excited to pass off security can be draining.
I've got news for you, the Cavalry is NOT Coming. You are on your own.
For those of you
listening to this maybe not grasping the challenge, let me propose an
analogy. We’ve all been out to dinner at
a restaurant. Let’s say being a CISO is like being the chef of the restaurant.
In this analogy the chef is accountable for your meal, but not responsible for
preparing it or delivering it. The chef
has a partial budget, and needs to convince other kitchen staff to pool their
budget to buy the food needed to serve the menu. The kitchen staff, however, also have other
department chefs they work for that diverts their attention. To make matters more complicated, the kitchen
is consistently invaded by rodents and kitchen hygiene is hard to keep up with.
Our chef also has limited say as to the quality of food prepared, presentation
of the food, and delivery of the food.
Now, if you went to
a restaurant and knew your chef had limited budget, they chef was not directly
responsible for the kitchen staff, the kitchen staff also served other
department chefs (so they have limited attention to your meal), the chef had no
say on how your food was plated or served, and the kitchen was occasionally
raided by rats, how good do you think your meal would be?