Four Truths

There are four basic truths in security, infosec, cyber, or whichever buzz word you wish to use today. Understanding these truths and how to balance them is key to success. Balancing them may mean planning your own time or the size and structure of your team, depending on where you work.

Firstly, security is fun. It's fun because you get to learn about and sometimes play with the methods that attackers use. You might even start to feel like someone from Mr Robot, or Wargames at times. Some might call this ethical hacking, some penetrating testing, and some may think it's just an excuse to have fun. In any case it is valuable. The key is to not spend too much time or resource on the fun stuff otherwise other areas may suffer.

Secondly, security is easy. By that, I mean it is much easier to look at a system or process and find fault with it than it is to do it right yourself. This is a basic truth in life and recognising it is a differentiating factor when dealing with others. They will feel threatened because you are criticising they way they work or pointing out mistakes that they have made in the past. The key is to make sure they understand that in this respect, their job is harder than yours and they deserve some credit for that.

Thirdly, security is hard. The main reasons for this are twofold. Firstly, related to the second truth, you will often have to overcome the inertia of cultural and behavioural change. This is one of the hardest things to accomplish unless your organisation is prepared to take harsh action against offenders (which in itself can be morally difficult). You will likely make more adversaries than allies. Secondly, when it comes to protecting your organisation from attackers, they have the upper hand. In this setting you have the same challenge that your non-security colleagues have, in that it is easier for someone else to find fault in your security measures than it is for you to get them right. You could easily blame this on your internal challenges, but this is part of your job so you need to suck it up and get on with it. Dealing with these challenges will take constant readjustment of your strategy as you discover more about the organisation's technology, processes, structure, and culture. The key is to not become disheartened when a particular strategy fails. You must be objective and analytical and find out why it failed. Sometimes you are best off to take a step back or some time out to relax and think about something else. Get some exercise and fresh air, or spend some time on your favourite pastime. Sometimes new potential solutions come to me while I'm walking the dog, climbing, or playing the guitar. Of course not all challenges will afford you this luxury of time for problem solving, but some certainly will.

Finally, security is rewarding. By that I mean the harder you have to work at something, the more satisfaction you get when you achieve even small successes. Would it be more fun if security was easy and you had more time to experiment and learn new and exciting techniques? Maybe... But the rewards from winning small battles in this ongoing conflict make it extremely worthwhile and satisfying. The key is to have patience and enjoy the smaller successes that you achieve along the way, because if you want to achieve too much too quickly, you will become frustrated, disheartened, and doubtful. Trust me, I've been there and got the scars to prove it.

I hope this gives some insight into what it is like to be a security officer at a medium-sized international enterprise. Maybe your own experience is different to mine, in which case I would love to hear from you!