I quit infosec and I couldn't be happier(paulsec.github.io) |
I quit infosec and I couldn't be happier(paulsec.github.io) |
Do I still love it after 17 years? no. A lot has changed. A lot has not. I still like it most days. By far my favorite thing has been building a team and teaching others what I learned. I hit burn out here and there. I think computers and tech are different and objectively a little less fun now for this field. When I started I could find a bug in a system and write an actual exploit (actual machine code!) for it by hand in a reasonable time scale and that was always really cool. Now teams of people are required to achieve the same exact goal. Just one of many examples.
So anyway, some get off my lawn cause I am older now, some is just me changing what I like and want from life, some is tech changes. It’s still a great field as a consultant. Show up. Hack. Write report. Leave. Never be a CISO, you can’t pay me enough to do it. The end.
When I first started any idiot could back a web application because nearly all of them had a silly exploits like SQL injection.
Can you share why?
You own a bunch of unsolvable risk and your head is one of the first to get lopped off if you're popped.
Honestly, the CISO role probably needs a golden parachute and a direct report to the CEO for it to be an appealing path for most anyone who's experienced it at least once. The former to incentivize owning that much risk, the latter to enable the role to drive change.
The security world and the compliance world are changing daily, don't track each other, and your compliance drives costs, while security drives incidents.
In any case, TIL that although "quit" is most common for past tense/past participle, "quitted" is sometimes included in dictionaries as an alternative.
This may kind of seem tautological, but I think adding the extra degree of mental separation (I am a man/woman who practices X profession vs. I am X profession) can help clear your head and open new life avenues to you. If you spend 8 years grinding for a graduate degree and enter into an obscenely competitive job market and find little success, it's easy to feel claustrophobic and like you've failed if you take a job outside your field. However if you think "for 8 years I performed statistics, writing, lecturing, and reading, and now in order to make my fortune I'll try another trade" you feel feel less indebted to your past self and make more clearheaded decisions about what to do in life.
I have been forced to do the infosec role as a "side thing" in a couple of jobs now, mainly because nobody else was around that even had the basic skills. One of the things that discouraged me from going further in that field is that it doesn't seem to make people all that happy and fulfilled. Again, I may be wrong on that, as an outsider looking in.
I've been thinking about this a lot lately. As a millennial, I've tied so much my self-worth into my career and recently, started questioning this belief and I think the next generation (i.e. Gen Z) might be on to something around quiet quitting, their generation placing extra emphasis on pursuing things that make them happy and viewing work as .... well, work.
E.g.,
- Don't be an internal company accountant, go work for Big 4 accounting firm to sell your skills
- Don't be in internal company IT Security, go work for a company who sells that skill
It's all about moving up in the value chain. By moving up in the value chain, you're more "valued" / appreciated / sought after.
You're general happiness will be much better as a result, and you'll also make much more money.
> But why don’t they just patch? It’s not that complicated after all.
And you kinda see this later on when the author talks about what they worked on post-transition out of infosec as a mainline career:
> I finally joined Michelin in December 2016 where I started working in the CERT team where my main mission was to automate scanning and reconnaissance phases [emphasis added] on internet-facing assets and this was my real first experience on the other side of the story - defending infrastructure and where I finally experienced change management (and the complexity behind it), impact evaluation and so on.
It seems like the author burned out not because of the work but because wherever he ended up, there was no strategic initiative to streamline and automate patching to a point where it's largely invisible. It's also a hard problem given the risks of patching bringing reliant services down and the need to automate a slew of testing to validate that said patches won't torpedo production and mission critical systems.
The bit above is important not just because it solves a problem but because (I'm convinced that) people like knowing they actually built something and enacted lasting change. And security may be one of the least likely engineering disciplines where you'll experience building a tangible product as an IC.
At least in software security it's a bit easier with build and deployment pipelines offering an opportunity to block when patches are outstanding, but I can see where the burnout would arise when a strategic effort to invisibly ensure patching isn't in place or well funded. No one gets to build anything, and likewise, nothing gets solved because nothing was built.
---
So if I could add another takeaway:
• if your job involves running around and putting out fires, consider recommending up the chain and across the aisle all the ways to prevent the fires. And if those recommendations don't catch fire (so to speak), may be worth exploring alternative means to address the burnout risk long term with the current role.
You spent more time 90% of the time "writing documentation" rather than on finding the security problem and suggesting the fix. That's why i choose development rather than InfoSec (despite having a knack for it), because its more technical and i don't need to explain "why" everytime.
pentesting? 20% finding the low hanging fruit, 80% writing and explaining your findings.
forensics? 10% finding how they did it, 90% writing and explaining your findings.
malware/policy/security/cloud security analyst? 100% writing and explaining your findings.
the list goes on and on... you are basically and a slave for word processing software, thats why totally understand OP quitting infosec.
On the other hand - the "hustle" economy is everywhere now, not just tech. Everyone has a side gig, and the grass isn't always greener. So, who knows.
Great post and best of luck in management.
Other jobs that emphasize relationships like sales is something I wonder if might have been a better path. In your old age you have a nice rolodex to market yourself with instead of a decaying skill set that gets more difficult to refresh as you age.
https://blog.nacdonline.org/posts/cisos-breach-experience-pr...
When you get older you lose the fun of learning new stuff, and you are paid to do what to know.
Risky game indeed. It’s 1:24am here in Australia and I’ve finally stopped attempting to reverse a network protocol for an embedded device which I’m pentesting. Reading the article is a good reminder of what can happen if you push it too far. The challenge is with this type of work you often have to put in the hours, particularly if it’s a hard target..
If you lack the passion and drive you simply just won’t retain and develop the skills required to deliver. If seasoned pentesters disagree, then I’m all ears.
Someone along the way might modify the page? Unless they're using HSTS, it won't matter.
I'm all for encryption, but I'm also all for using tools when necessary, and not complicating things when not.
I like that the author wasn't afraid to make a change, not everyone can but it makes for an interesting story!
I don't think it speaks badly about the pentesting part of infosec, even though those in auditing tell me it's extremely boring to be in infosec.
Anyways nothing wrong with the text, but my comment stands.
I almost can't imagine not working in infosec, it might feel like losing a limb I think. It's not the assembly, exploits,etc... that does it for me but how I am never bored and always learning something new. The feeling when you find a compromise by sophisticated actor or even stop a compromise in progress, even if no one ever hears about it is amazing. I did networking and other types of jobs that were great too but eventually you master those more or less and start to get bored. I suspect pentesting is similar in that you learn new techniques all the time but the vulns you find are still the same stuff more or less? I have no idea, just guessing. I guess what I am trying to say is how rare it is to find someone with passion for infosec that applies themselves and how broad the industry is (maybe you might enjoy being an instructor or manager?) and how any job in infosec would love to have you because of your background.
AltaVista was a Google competitor, IIRC.
But I am kinda wondering why this brings so much attention? To me this reads like a long trip down memory lane. Is your takeaway: "if your job and your hobby are too similar, then this will lead to burnout?" Or is it "a job in infosec will lead to burnout, because infosec has certain inherent problems?"
Let's just shout "ffs, just patch yo' shit" rather than actually trying to educate people.
Let's all go to a hacking convention, and act like children and hack everything within arms reach at all times.
Let's all belittle people who don't have the same level of technical skill as us.
Let's all be arseholes to women in the field.
etc etc. that's why I took a step back, because for all the "we want to help you fix things to make the world a more secure place", the infosec industry seems to not want to help make it happen.
Looking back, working in infosec was such a great experience and I recommend it to anyone who wants to jump in!
The reflections generally about knowing when to move on are more field-agnostic.
I once worked for company making a security product. The other software engineers knew almost nothing about security or secure coding practices. It was never a requirement for the company to hire people with security skills, nor did security skills even get taught! I tend to think that's the norm in the industry, but I'd be happy to be proven wrong.
Yeah, blow my karma idk
[1] https://books.google.com/ngrams/graph?content=had+quitted%2C...
The soul sucking large corporate entities, I couldn't agree more. Stay away from that if you can. You really only need one big company household name to spice up your resume and you probably have that already. I have mine and never went back.
Yep, this is the direction i wish to take next. ;-)
I have a multi-decade career, and for like the first decade or decade and a half or so, i tried to stay as long as reasonably possible at whatever big compoany i worked for....being raised to think that loyalty, and working a long number of years at the same employer was a sort of weird badge of honor. I got hit by bureacratic BS/blocks on such a constant basis, and then got hit by my first layoff...then i thought: "oh man, its me, i'm the problem, maybe i'm not as good as i thought, etc." Then I got yet another corporate job....and then another layoff...which by the way both layoffs were to due to re-orgs, and impoacted many people, and not specific to my performance. But, you know, the ego and heart gets hit hard.
So, i tried 1 year (during the middle of the pandemic) to work for a non-profit...thinking that maybe i can use my passion and people and tech skills for some good causes...Nope, never again! The sample size is of course so small (I only worked for a single non-profit), but i encountered the same corporate blocks as in the for-profit world, but with a vastly reduced paycheck. I still love my peers in the non-profiut, and while i was there i actually made a difference in thousands of people's lives, as well as gaining accoloades from IRS for a model and taxpayer experidnc e that i developed foir some web potals that i lead the dev. for. And, i still very much believe in what the non-profit where i worked does...But wow was the org. crazy disfunctional! Anyway, over the last couple of years since then, i keep jumping from one big company to another....and after all these decades i feel i have more passion than ever before for the tech and the problem spaces! ...BUT...now i have less patience for corporate buracratic BS/blocks...so i jump more often nowadays; which i dont like doing. Maybe i will try small, for-profit firms and see how things go....but, man, corporations really do know how to hamper those among us who have the passion, drive, and technical chops to really make a difference. Passion and competency - at least at the big boys/girls where i worked - seem to count for nothing nowadays.
The biggest security weaknesses are people. Employee get socially engineered or phished. Management doesn't take security seriously so they put only a tiny budget toward security. Lazy sysadmins don't keep their systems patched. Software developers can't be bothered to learn how to write secure software, and this is mostly because their bosses don't incentivize them to. Security vendors often hype up their snake oil products. Good security protocols and technologies aren't adopted because people don't want to change.
Dealing with these human problems is awful, demoralizing, and generally unsolvable.
I decided 10 years ago to never work in a role/company where my job didn't contribute to the bottom line. It's much more satisfying.
* can be demanding or irregular in terms of hours
* real, genuine infosec requires deeper knowledge of OS's, protocols, tools, programming & scripting, etc. Gotta be a little more experience to get that, and even more experienced to move away from it into mgmt or higher level roles. In other words, older office worker, and that means more gut.
Medication shouldn't be out of the question to stop the stress from killing you. I don't need to know any specifics but just when you say "stress" and "overweight" I can tell you to get checked for at the very least sleep apnea and diabetes. Both can and will ruin your day if you don't catch them early enough, and most people don't.
You have to make sure you manage your relationship with your job carefully, or you will burn out as the author did.
For me, paid work is a means to achieve what I personally want to achieve. If I can achieve what I want during work hours that's great, stars are aligned. If not, work is just a way of getting the money I need to achieve what I want, and should never drain me.
I don't care about career, I care about being paid enough to do what I want to do of my life. I won't sacrifice personal life for it.
Work is a good chunk of the time so it should also be enjoyable as best as possible.
Of course, advancing your carrier can help get paid even more / enjoy even better, if so it might be good thing to do. It's just that it's a means, not a goal, like it seemed to be for some of our parents or grand parents.
Please do not use this phrase.
Working 9-5 is called "doing your job"
IT in Europe here and we work 8-5 with 1h lunch...
Similar in the US, I've never actually seen an office that works 9-5, despite that being the phrase. It's always 8:30-5 or 8-5.
It may once have been A Thing here in the US, with a 30-minute lunch and two 15-minute breaks coming out of a total of eight hours at work, since there are legally-mandated break periods for ordinary wage or hourly workers—but it seems like everyone's "exempt" now and so has far less legal protection, plus I'm sure enforcement's nearly non-existent. I assume it did actually exist, once, though, for "9-to-5" to have entered the language to begin with.
Quite a lot of people stay after 18, mainly because of historical/ tradition reasons.
How terrifying is that, busting ass from your 20s to mid to late 50s, and then getting hopefully another 30 years to "enjoy life?" I mean I'm sure many people find enjoyment along the way but damn that just seems so depressing.
Maybe it wasn't bad when that generation was working, I know many had a very nice quality of life for relatively less effort due to higher purchasing power and lower housing costs.
They constantly ask me for money now.
Agreed. I'm all onboard with delayed gratification. I'm onboard with "putting in the work." But waiting (literally) decades before living it up... sounds totally backwards.
Care to share some of your favorite findings?
Its just slavery which the older generations thought was appropriate, much like having a large family to look after you was a thing before family sizes came down.
It sounds cliched, but have a bucket list of things you want to do and try to do some of them. Put yourself first and your job second because the days of businesses looking after their staff and a job for life is long gone as every recession demonstrates.
In terms of adding extra items to improve their happiness, it appears that this strategy is generally ineffective. Despite their efforts, the quiet quitters I met do not appear to be any happier
The alternative to hard work is doing nothing and that certainly will get you no where at all. The idea that a younger generation might have had it slightly better (which I think is pretty subjective anyway, previous generations have all had their fair share of bad shit) so you won't do anything to get ahead is just asinine.
This is more true if you're a small startup selling a security product. It's less true if you're one of the top 5 companies in the field.
1 good friend of mine, was a super driven lawyer at a huge world-class firm in NYC. She got cancer, and had to take a leave. Fortunately she recovered fully and quit basically the first moment she got back. This isn't one of those 'she left to follow her passion in the arts' cases - she LOVES being a lawyer, but she realized she wasn't living a life. Now she's in-house at a multi-national brewing company.
Anyhow, all that to say - you may be more valued, but it's much easier to be the client!
> It seems like the author burned out not because of the work but because wherever he ended up
Don't get me wrong and maybe I was not clear enough (my bad). The infosec part I mostly contributed to was within some consulting companies where I was hopping from one assignment to another one, having different clients every week. I saw some clients with some really strong security posture, I mean it. The "burn out" I experienced was clearly not related to that but pretty much from hacking, writing report, sleep & repeat.
Yeah, this tracks. I rescued myself from this by switching to in-house security teams with ownership of security infrastructure.
Similar to what you did.
Other security adjacent roles can be found in areas like web browsers, compilers, and kernels; there's a massive amount of software engineering work that goes into securing existing systems that goes beyond trying to break things. Most large companies will have many people working in such roles.
Developed by Digital to showcase the power of their CPU the DEC Alpha IIRC...
The topics are
1. Capitalism takes away your ability to be bored, at least mostly. You'll spend the majority of your time at work. You can be bored there, but not in a very productive way. Your boredom is a function of the company's failure to extract maximum value from you every hour you're there. My gf got laid off with a severance, her boredom is a gift, she can sit and be bored and in that way think about what her purpose is, why she likes being alive and what she wants to do with it. In that way capitalism steals purpose: your purpose day to day is to drive profits for a company. It's not explicitly evil or bad feeling when that happens, because the system rewards you in a million ways when you do tie your purpose to a company's profits. In what ways can people escape this to explore what their purpose might actually be? This isn't necessarily a new thought, I just wanted to explore it.
2. That "retirement" exists as a concept is terrifying for so many reasons, as listed above. It also creates a kind of cultural expectation of sacrificing the bulk of your life to "earn the right" to leisure... but some people are born into that right. That sucks.
3. Capitalism may have weaponized and pillaged the desire to be a part of something greater. Similar to 1, there's probably a natural human desire to "be a part of something greater" (heard in countless interviews of people that do otherwise kinda strange things like join violent militaries or participate in cults or allow themselves to be hazed to join frats). When you join a company, that desire is cannibalized to feed the needs of the corporation. Your day to day energy to spend on being a part of your local community is instead directed to the needs of a company who is possibly transnational and who even could be directly harming your community, by for example dumping trainfuls of harmful chemicals in your backyard. Corporations and corporate culture have been very good at directing the desire to have a common goal and be working together on something, but did they invent these techniques or just pillage them? Is project management something unique to capitalism? What happens if you get a big group of people who aren't having these energies directed by a profit minded project manager, what will they do in their own communities to find meaning? What happens when you take a highly skilled project manager and put them in a situation where there's no profit to be made, what kind of projects and organization will they dream up? This because I do a lot of anarchistic direct action and communal work and am always thinking about managing goals, projects, tasks, needs, and etc in situations where there's no profit motive.
I'm also working on a blog post about how tf to get the 80 different web dev aligned emacs major modes to all respect a .editorconfig file and another one journaling my family's visit to Taiwan so realistically I'm spinning way too many plates....
I'm also perplexed about the people who say things like 'why should I make someone else rich'. can you imagine that in an interview? yeah hire me, but you better not be making a profit on me. you better break even or lose money or I'm out! you should WANT people to make money off your efforts.
This is a nitpick, but customer-facing ordering and delivery technology arguably is the main product for Domino's Pizza. The food basically defines replacement level, but the tech differentiates the experience from other shops.
Amazing CISOs lead security by enabling others to make secure choices that still let them move quickly and deliver value. To do that - they shouldn't always be one hack away from losing their job.
Common Pitfalls:
- Act as a gate that slows everything down, i.e. it must be secure, which in turn makes things less secure, as there's less time on the board to fix things.
- Chase massive budget. Eventually get massive budget. Buy silver bullets that don't fit in techs guns.
- Focus on the non-tech parts. We'll train people not to open cat.jpeg.exe instead if you know, auditing their usage and turning off their kit / login when they're pwned.
With anything, it's all about the people you put in place, but my experience is the average large company CISO sits on a pile of paperwork and IT security whilst their servers aren't patched.
CISO direct report to CTO can be a conflict of interests for the CTO.
C-suite positions need a golden parachute because they can be career-ending. You don't climb to the C-suite then go back to being an IC or lower-level director.
CISO can be even riskier than other C-suite positions. So CISOs really need golden parachutes. But CISOs almost certainly don't get golden parachutes worth the while -- they are generally seen as less important than CTO, CFO, COO, and CEO.
Plenty of companies keep their security teams + CISO after they get popped.
CISO -> COO -> CEO
CISO -> CIO -> COO -> CEO
CISO -> CSO -> COO -> CEO
CISO -> CLO -> CEO
CISO -> CLO -> CFO (wtf?) -> CEO
And none of:
CISO -> CEO, or even
CISO -> CSO -> CEO
The only one I've seen be extremely effective aside from a direct reporting relationship has been where the role reported up to the CLO (general counsel) and said role reported up to the CEO directly. Reporting up to the CIO or CFO (again wtf?), there were conflict issues at play where the CIO or CFO was obligated to prioritize their main mission. CISO to COO worked fine generally from what I saw, as did CISO to CSO to COO, but it meant the CEO was often shielded from issues where they could impactfully move the needle where needed.
---
The CFO one was at a company owned by private equity, which makes perverse sense when you consider that most business leaders consider infosec to be a pure cost center rather than a business enablement function. Doesn't help that many CISOs historically never ran their shops with business enablement in mind either, which put a lasting dent in infosec's reputation as a function that many emerging leaders are still trying to rehabilitate.
As far as I can tell, this is the actual purpose of a CISO: being the sacrificial goat when an entity experiences a security event that ends up in the news. I say this without any sarcasm.
For Corey Quinn's fantastic "security awareness training" thread: https://infosec.exchange/@Quinnypig@awscommunity.social/1097...
He described his job as "we shouldn't do this, or this. we probably need money for both, or failing that, implement some really annoying, workflow-impacting changes that will annoy people. so gib mony plz".
inevitably the org would say no to both, so he asked for that in writing and then played the CYA game hard when it went bad.
"a cortisol rollercoaster followed by begging followed by more rollercoaster" was a phrase he used.
Do you have any stats to support this statement? I work as a Information Security Officer, other firms have BISOs or other names for this kind of position.
Additionally, a lot of what you are describing is either cliché ("you can only be wrong once"), only true for certain types of businesses or regions. There have been examples where CISOs have experienced legal pain in the US, see Uber's former CISO. But I would not expect companies to see this as an exemplary case.
Articles like this: https://www.forbes.com/sites/forbestechcouncil/2020/02/10/th...
LinkedIn data is pretty reliable, so this is not a difficult thing to study sufficiently.
Do you believe food just magically appears on your plate, water cleans itself, your plumbing just happens to work, medical services operate autonomously etc.?
The problem here, is you're an elitist. For you, your boring desk job is slavery so you want the freedom to go about doing whatever you want while the peasants provide you the means to continue being fat happy without providing anything back to society.
You're speaking from a small minded subset of white collar society that has the inability to understand how society operates as a whole. What you want is to subject a certain class to "slavery" to support your endeavors.
Every politician I meet I ask the same question: what do we do when automation has driven the value of nearly all human labor down to pennies? None have an answer. Nobody that's a big fan of the current system has given me an answer other than "it'll never happen," but it seems inevitable to me.
The usa already subsidizes food non productivity to maintain stable prices for agriculture. So why don't they just stop doing that so food does magically appear on my plate? Is maintaining broken market dynamics in every aspect of life so important that it justifies some going hungry, some working two jobs, all of us working 40 hours a week until we're 60?
Its not, but the way the money is distributed and created is. For example during the 2008 crisis because the velocity of money fell, banks were desperate to get people spending again so interest free £million were offered to the rich in order to get them to spend money in the economy, reinforcing the trickle down concept.
> is you're an elitist.
What gave you that impression?
> that has the inability to understand how society operates as a whole.
So explain it then? Explain society.
> want is to subject a certain class to "slavery" to support your endeavors.
I think you are further from the truth, if I could take a pill or an injection to end my live in a non barbaric way today, I would take it. Unfortunately thats not on offer because society dictates I need to be tortured to support it.
My life has already been stolen, and there isnt the science to replace it.
You CANNOT obtain the lifestyle you're going on about with out a sub-class of individuals that do have to continue working these supposedly "slave labor" jobs you're talking about. This makes you an elitist. You think you deserve to live a care free life while others are forced to maintain that for you.
You need an attitude adjustment and you need to put some perspective in place before it's too late. You're not thankful for what you've got.
This is a false dichotomy. I put in a solid 40-50 hours at work. If I have to put in double that just to stand a shot -- not get, but have a shot at -- the lifestyle that my parent's had while only putting in 40 hours a week, then the system has failed me.
And that was 40 hours a week with one person working and the other staying at home.
No one is suggesting you get to have stuff for free, but it is painfully clear that even with dual incomes the average American is failing to maintain their parents' standard of living.
It's a broken system, and the Zoomers can easily see that -- they've had smartphones since they were like 8.
"It's a broken system, and the Zoomers can easily see that -- they've had smartphones since they were like 8."
If you're referring to the poor decision making on raising kids with smartphones I'd agree with you, but that's a lack of good parenting and bad moral judgement. It has nothing to do with capitalism or modern work ethic.
The irony and cognitive dissonance in this statement. That means by every economic measure they were doing quite well at age 8. Did boomers get cell phones when they were 8? How about survivors of the Great Depression... do you think they had anything close to the equivalent of a cell phone at the time? The other issue here is that you believe constant negative influx of media as always truthful.
The issue with you is that you assume that a generation having slightly less than the previous means we need to scrap the whole system and it doesn't work. You need to put some things in perspective and maybe realize that the life you had growing up was WAY above average so a slight decline to a lifestyle that's still magnitudes better than what the average world citizen deals with isn't all that big of a problem. There are generations and generations of people that died to give you what you got, went through world wars, civil wars, great depression, pandemics. I'm sure they'd have loved to be "slaving away" in your climate controlled office environment with a smartphone.
"And that was 40 hours a week with one person working and the other staying at home."
You can blame feminism for that. It tricked the average woman into thinking they would have more meaning working in an office 40 hours a week than they would doing the most important job in the world... raising kids. It turns out that when everyone starts having a higher average family income, the market adjusts to that. And, the staying home and raising kids part is key, they weren't just sitting at home doing nothing while their partner worked.
"A working person could support a family, buy a home before 30 and have hobbies 50 years ago."
Try not living on the coast near your favorite coffee shop and you too can achieve this. It's almost like those generations didn't expect to have a beach front condo in LA with every tech gadget available.
That's because one person worked. What do you think happens economically when both parents in a family start working? This is basic economic principle.
Thanks for the good-read!