“There is no way to tell his story without telling my own. And if his story is a confession, then so is mine.” – Captain Benjamin L. Willard, Apocalypse Now.
16:05, Atrium Bar President Hotel, London – Having spent a quarter of a century in information technology and thirteen years in one uniform or another performing intelligence operator and analyst functions I have some observations to share on what can be best described as the gravitational tug from an InfoSec black hole.
A lot of people including myself tend to characterize the profession of information security as not particularly healthy and I think that’s a fair assessment. It may be our collective lot in life to – fortunately or unfortunately – be skilled in this profession and endure “the crazy” with perseverance, and if we are lucky, comradeship.
What many notable observers, pundits, commentators, and media are quick to point out is the seemingly endless string of data breaches and how basic security controls could have prevented <insert the latest big data breach here>. We all do it, whether in the media or among our colleagues online and offline. I do it a lot. In Forbes and other publications. This got me thinking about my own experiences.
I quoted Captain Willard to set the stage for a discussion of the consequences of a data breach on a class of victims that do not receive enough understanding or compassion. In fact, very little is understood about them. The staff and managers that make up the IT team, the security team, and risk team are on the front lines and sadly, these folks never get to tell their stories about the world they live in and the personal consequences of living in a world where “the good work” is never noticed and “the bad work” has grave, if not catastrophic consequences for the organization and your career.
This is the very core problem of the information security profession. It becomes hard not to find yourself thinking “worst-case scenario” and that can lead to misjudging, mistrusting or second-guessing your instincts – even if you are following a checklist or process. Humans are fallible…and not to make light of a bomb technicians deadly work, many of my brothers and sisters in the InfoSec profession are defusing bombs (or accidentally building them) from a corporate, financial or regulatory perspective every day – day after day.
“Everybody breaks. It’s biology.” – Dan, Zero Dark Thirty
So, this environment has a psychological cost, yet everyone may not suffer the same or be impacted the same by being immersed in the zero-sum game of InfoSec. Long hours, poor life quality, unhealthy lifestyle choices can bring is a sense of dread brought on by this pervasive “worst-case scenario” outlook as it travels with you long after leaving work. At work, it’s called risk management and contingency planning. Outside of work, in my opinion, it’s straight-up paranoia.
I’m not a mental health expert so don’t expect a clinical diagnosis from me. I do see this paranoia—an instinct or thought process believed to be heavily influenced by anxiety or fear often to the point of delusion and irrationality—is a growing mistrust of people close to you and outright interpretation of events as maliciously directed at you. This self-perpetuates a cycle and reinforcement of the “worst-case scenario” mentality far outside the confines of your role at work. There is also a great risk of cost outside of work relationships, too, including home and social life.
There is another perhaps even more destructive and recursive element of a job in the cyber security, military, law enforcement, or intelligence profession and the damage may manifest long after exposure. The “keeping of secrets” destroys people, relationships and in many professions – not exclusive to my list above – the consequences of keeping those secrets can be particularly unsavory.
“The price one pays for pursuing any profession or calling is an intimate knowledge of its ugly side.” – James Baldwin
Richard Thieme – who uses the above quote from the well-known American author – has thought about the keeping of secrets and the toll they take along with many other aspects of human behavior. I urge everyone reading my small contribution to the discussion to explore his larger work on his website and published works. Richard’s presentation on “Playing Through the Pain: The Impact of Dark Knowledge on Security and Intelligence Professionals” for DefCon 24 was impactful – eventually. I was in his audience but, what he had to say at the time did not resonate with me.
Until now. At fifty years old – I see what he had to say in an entirely different light.
The real cost of security work [IT work] and professional intelligence goes beyond dollars. It is measured in family life, relationships, and mental and physical well-being. The divorce rate is as high among intelligence professionals as it is among medical professionals, for good reason – how can relationships be based on openness and trust when one’s primary commitments make truth-telling and disclosure impossible?
The most amazing takeaway from Richard’s discourse is that those secrets that impact IT and IT security teams don’t need to be national security related to being burdensome. In many organizations when a cyber crisis hits the technical teams know the truth of the matter and are coerced, blamed, shamed or silenced in deference to the corporate good. This is not necessarily a bad thing from the public, corporate communications perspective in our highly regulated and competitive marketplace but, those that are asked to carry a burden of truth in silence need a positive way to express and release what transpired. A constructive discussion of how the event made them feel is a necessary part of a post-mortem discussion. Otherwise, we realize the next great peril of InfoSec.
“You Keep Using That Word, I Do Not Think It Means What You Think It Means” – Inigo Montoya, The Princess Bride.
Cognitive Dissonance (CD): In the field of psychology, cognitive dissonance is the mental discomfort (psychological stress) experienced by a person who holds two or more contradictory beliefs, ideas, or values. Enough psychological stress for a long enough period and CD can result in physiological symptoms which being to manifest as Post Traumatic Stress Disorder.
So, for all of those organization leaders who have diligent and dedicated IT security staff and IT teams remember that in times of crisis they will work hard to bring the organization back online and functional but, don’t forget they may need as much help as anyone else.
Clear Hearts, Clear Minds.