00:35 Ministry of Sound, London, UK – We all know what professional development is; I am going to talk about going to the opposite: professional degeneration. If you ask mid-and-advanced-career information security professionals about their jobs in information security, most of them may not express the kindest sentiments. That might be a gross understatement – not many are fond of their profession these days. In fact, tech recruiter Mondo reports 60% of IT Security Professionals are looking to leave current Job citing:
unhealthy work environment (53%); lack of IT security prioritization from C-level or upper management (46%); unclear job expectations (37%) and lack of mentorship (30%).
The reasons why a job in InfoSec are toxic have become apparent. First, the environment is one of constant stress. For those of us with backgrounds in law enforcement and military service, we know all too well what “the suck” is.
The reality is for many blue teams, red teams or the IT human resource, who now has IT security responsibilities added to their job, find themselves in a constant battlespace; war without end and no quick reaction force coming to the rescue. Alone and outnumbered – it seems that those of us on the defending side is fighting an advanced robot-cyber-crime army with little more than cyber muskets.
Second, adding additional stress is the day-to-day family life; one that is frequently interrupted by cybersecurity or technological incident. The security professional often develops a pessimistic attitude, ultimately leading to anger – “the dark side of the force” if you will. Recognize parallels between police/military life and information security (for better or for worse) and I think you can begin to understand how frustration and anger become the preeminent coping method. Not the optimal SITREP.
It turns out a simmering state of anger is not healthy to the human body or mind. OK, no great newsflash. While anger can be a motivator as a short-term coping strategy or to overcome fear, sadness, insecurity or other feelings, anger demands action and that action – without proper training – is frequently ill-conceived, lacks self-awareness, and moves straight into harmful results – to others and/or self. Potentially physical and mental harm.
In InfoSec this can mean bitchy emails, texts, tweets, face-to-face arguments or other forms of confrontation. In the military, we may take to the gun range to release anger. The point is, it’s all unhealthy behavior. In the workforce, it might look like this:
Situation -> Anger -> Action -> Unemployment and the cycle regenerates back to even more anger – “If they only listened to me!” Que righteous indignation.
It’s important to understand that the default human feeling is not anger – if this is your default setting you have some serious therapy ahead of you! As your InfoSec career grows, likely, so too will your disappointments and setbacks. Concurrently, so does the propensity to consume mind-altering substances as a coping mechanism.
Hence, alcohol and substance abuse grow along with your career. It’s not due to weakness in discipline or some character flaw – it’s a way of at least temporarily making the anger (or pain) go away. What happened? You didn’t start out that way.
Far be it from me to demonize alcohol or other self-medicating remedies, but some alcohol is not the problem. It’s when it turns into “All the Alcohols” and it’s the only way you can get to sleep – a/k/a pass out, that’s when you’re headed into troubled waters. So, through a personal journey of discovery and exploration let me present some of my “scientific” findings. In true InfoSec style here are the top 4 things you need to know about alcohol:
- Alcohol does not make you make bad decisions. Alcohol makes it easier to make bad decisions
- Alcohol will never take responsibility for your actions. You must take responsibility for your actions
- You never have to drink alcohol, there is always a non-alcoholic option.
And lastly the controversial point number four:
Alcohol at InfoSec Cons is not the problem. You are the problem – if that’s your problem. Don’t judge others and their coping strategies – make your own damn choices. I hear about a lot of folks complaining about the toxicity of InfoSec and its encouragement of drinking – you don’t have to be that person.
Keep this in mind – a lot of the top tier of InfoSec professionals have struggled and many of them drink only in moderation or not at all – get on Twitter and ask them – no one starts un-hackable and can handle everything InfoSec throws at them.
What’s the downside of deciding to not be hungover the next day at Con? There is, potentially one: other people. General “Mad Dog” Mattis is quoted as saying, “Be polite, be professional, but have a plan to kill everybody you meet.” Not drinking or even drinking in moderation does not necessarily require such an aggressive plan – but if the pressure becomes too much you need an exit strategy or at least a cohort of like-minded InfoSec buddies.
Another important aspect is how people treat the non-drinker in a group or social situation. In the words of a very successful information security professional:
“Often, the non-drinker is vilified. Praised and then left out of group activities, as the group wants to protect your sobriety. This is one of the many reasons I choose to keep my sobriety personal and not share.” By any measure a dick-move which could be avoided by a little emotional intelligence on the part of members of the group. More to the point, making assumptions about having “protecting someone’s sobriety” is the height of arrogance – it’s not up to you.
So, the real question is how we change our mind-set about InfoSec and avoid excessive amounts of self-medication? I talked to another very successful information security professional, who has managed to achieve a sort of Zen-like ambivalence when it comes to his thirty-years plus InfoSec career:
- Focus on what in your life makes you feel good and the reasons why those things make you feel good. What are you truly grateful for in your life?
- Focus on helping others to create a positive feedback loop for when you need help from others. Don’t be afraid to be vulnerable with people important to you.
- Stop comparing yourself to others and try to relate to others instead. If you can see things through their eyes, you have improved your own vision!
- Be humble and do something nice for someone else each day. But don’t brag about it.
- Take responsibility and when you make a mistake own it, understand why you made it and commit to not making it again. Don’t put yourself in a position to have to apologize later.
If you work in InfoSec or IT, you are already a smart person and none of these five ideas are beyond your reach or capabilities. The more positive you are in your life the less likely you will need to adopt anger as a coping strategy which in turn reduces the need for extreme self-medication. Let go of expectations and resentments. They are like you drinking the poison and expecting the other person to die.
I have a couple more pieces of wisdom to drop. The first is this: if you choose not to drink or get high don’t be a preachy dick about it. Again, it’s a personal choice to drink, not to drink or only drink in moderation or to engage in more chemically enhanced coping mechanisms.
Lastly, if alcohol or drugs starts to become a problem, get help before you need help. There are a lot of resources available because – friend – the struggle is real and many of us have been there. Perhaps the only way to cope with war without end is to get some battle buddies?