Are IT Security Professionals Less Happy? 363
zentanu writes "It's said that if you want to be happy, be a gardener. What about IT security professionals?
Having worked as an IT security consultant for several years, I now wonder if my job has a negative influence on my happiness, because it constantly teaches me to focus on the negative side of life: I always have to think about risks and identify all sorts of things that could go wrong.
As an auditor I search for errors that others have made and haughtily tell them. As a penetration tester I break systems that system engineers and administrators have laboriously built. I assume inside threats and have to be professionally suspicious. The security mindset surely helps me in my job, but is it good for me on the long run? What kind of influence has being an IT security professional had on your general attitude towards life? What helps you stay out of pessimism and cynicism? Is protecting existing things really as good as building new ones?"
I'd reply but I'm worried someone will be watching (Score:1, Interesting)
Who watches the watchmen? Being a security wonk is going to be our version of being a member of the secret police. Check out how they went historically in terms of happiness.
AC
my 2c (Score:5, Interesting)
I have never *ever* used my job when considering my own self worth.
Jobs are the means to make money. Sure if you enjoy them, great, but if you don't, and you judge your self worth by them, well then you're fucked.
Its better to have other measures, other means to judge how well you are doing in life. For me its my open source coding, and my amateur science efforts, as well as being a dad. Any job I do is only, and will only ever be, the means to provide the necessitaties of life, like savings, a home, money for my kid and such.
Ok, that's important, but its not a thing upon which your self image should be based. At least that's how I feel.
Actuary (Score:4, Interesting)
I can think of a few jobs that are a lot less happiness inducing, like insurance actuary... placing bets on how long people have to live must be a downer.
OTOH, if you can learn to leave work behind when you go on vacation then IT security pays a decent salary and you should be able to afford a relaxing and distracting trip to whereever entertains you, especially in nature settings.
I work with lots of IA people (Score:5, Interesting)
A good number of them would be checking bags on the way out of BestBuy if they didn't know how to boot a PC.
My experience lately is that security people, generally, are:
a) not intellectually curious,
b) fearful of change,
c) often suspicious of others' motives because they, themselves, have malevolent intentions, and
d) powertrippers, because they've been given power to second-guess solutions they weren't technically-savvy enough to come up with themselves.
It's fun to discuss something like IPv6 with an IA weenie. He doesn't understand it, so it must be a threat!
BTW, I work for a large federal organization, where these people are everywhere.
IT sucks (Score:1, Interesting)
I get less pay working in IT than i do working in McDonalds as a manager.
Wouldn't this threory apply elsewhere? (Score:5, Interesting)
Wouldn't cops and military personnel also be extremely unhappy as well, based on this?
Wouldn't people who work in demolitions, tearing down buildings, be very unhappy?
Wouldn't this mean that anyone working in a job that had a potential negative impact on others, also be very unhappy? I mean with gas prices what they are, isn't the guy working at the gas station feeling miserable, because people hate paying as much as they are for gas, and he is the front-line representative seeing these reactions?
Part of it comes form PHB who don't get it and for (Score:3, Interesting)
Part of it comes form PHB's who don't get it and force non working software and security rules on you.
Re:I'd reply but I'm worried someone will be watch (Score:5, Interesting)
I know a guy in IT security. He's generally a happy person, with a good family life to keep him busy. He plays horn with a band, with practice keeping him busy several times a week. He says that's what keeps him sane.
the bigger answer: (Score:3, Interesting)
If you are in IT at all you tend to be less happy.
I totally identify with this... (Score:5, Interesting)
The security mindset can definitely do long term harm, in my opinion, assuming you're not careful that is. In order to be really good at it you need to be thinking about new potential exploits all the time, and it's really easy to let that rub off in your ordinary life.
I started seeing trivial security holes everywhere... everything from what's wrong with security labels, and tabs, on food products, and "tamper-proof" pharmacy jars to flaws in ATM vestibule security... you name it.
Honestly I kind of started developing mini-phobias or something about things like, take the security labels on food items. Let's look at a plastic mustard dispenser. Underneath the screw on top it comes with a little tab that you rip off, and somehow this keeps it safe from tampering during the period between when the manufacturer creates the product and when you purchase it.
It's absolute nonsense, and does NOTHING to stop anyone from doing anything to the contents of the mustard dispenser. Should someone want to insert a harmful substance into the bottle it could still be done with a very thin needle. It's really there just to appease the masses into thinking the product is somehow made "safe" by the introduction of that little security tab.
So I think about that, then I start to think... oh man, even my mustard's not safe, what if someone did something to it!?!?
It's ridiculous, and completely irrational. I don't think in the history of the modern food distribution system has anything ever happened to anyone's mustard. We all hear horror stories about Halloween candy, and over the counter medicine but I think in large part that stuff is all urban legend.
I think absolutely, yes the security mindset can cause mental health problems, in minor ways for some, and for others who are more prone to thinking negative thoughts perhaps in major ways.
The key, I think, with the security profession is that in order to stay on top of the game you need to always be thinking about how the next attack could arrive. Criminals are creative, and so must be the security people as well. In training your mind to think this way I can see how people would find it easy to become unhappy in other areas of life too.
I no longer do security work, but it's not because of finding it difficult to keep that work / life balance alive (I just got another better opportunity in a different sector). Still to this day I have some lingering security thoughts about things, but all I can do is try to think logically about them.
Just because something is insecure that doesn't mean it's worth worrying about. There's a big incentive for criminals to find any way possible to gain access to a sensitive or desirable computer system, but there's very little gain in tampering with a bottle of mustard ;).
As you stated in your question, it sounds more like you're starting to see the pessemistic side of things everywhere. Everyone's a potential threat. I think no matter what it is it's a similar expression of the same issue: security people get paid to do nothing but worry.
It's not a totally correct analogy, but I think it serves well enough. Now that I'm out of the security business I am pretty thankful. I never realized how much of a burden it was until it was gone. The less time I spend thinking about potential security holes the better I feel in general :). I think it's safe to say security pro just isn't the job for me... perhaps others are made for it.
Seriously though I don't know how people do it. How DO you do that job and not immediately size up threats? How do you not instantly look for the gaping security hole in the access panel on the ATM you're using? How do police men not become jaded and see the potential crime in every situation?
I think some people don't... they do become jaded. But others, the ones who stay happy, they just fight through it. I honestly think it's a choice. You are in control of your mind, and you choose what you le
Re:Short Answer (Score:5, Interesting)
OK, so you can either be a security dick and "haughtily" tell people of their errors, etc, or you can actually help the sysadmins. And I don't mean help by slapping your polished report on the managers desk and think you're helping by listing all the things they've done wrong.
No, get down in the trenches. Build a relationship with the engineers and sysadmins, so that you work together. They'll start coming to you before they make mistakes asking you to help them double check their work. I worked at one shop where the security team was just like this. We'd work with them on what we did, and prevented tons of mistakes before there was ever an issue and things moved to production.
Then you have the security team I work with now, who we simply call "Team No." They're pretty useless, everyone hates ever having to deal with them. They're the type that when you ask for help designing a secure system will respond its not their job. When you question them they'll haughtily respond "I know what I'm doing, I'm a CISSP!!!" Big freakin' deal, I respond, so am I. But the net result is without cooperation, they'll never truly be able to secure our systems.
Please be the kind of security guy that is a help not a hindrance. And then I'm sure you'll start going home at the end of the day feeling much better about yourself.
Happiness is what you make it (Score:2, Interesting)
I have always been suspicious. I always notice everything. I enjoyed my FT time as a cop and I enjoy my time on the SO. I enjoy what I do at the state agency I work for. I don't think that my contact with the negative part of society (at the SO) or dealing with idiot users (which sometimes is more difficult that the folks I get to take to jail) spills over into my time away from work.
I think you make your own happiness. I can focus on the negative I do or deal with or when I am away from work or I can find things that I enjoy or relax me. That doesn't mean you're not aware, we all should be aware no matter what we do its more that you don't let the frustrating or negative part of your job overwhelm you. I think that holds true no matter what you do, be it IT, LE, retail, customer service. Every career has negative points in it, it is a matter of what we do in our down time to unwind and blow off steam.
Having said all of that, if you're finding your job is making your personal life unhappy and decompression time / activities are not making that better, you may need to find a different area to work in (not necessarily out of IT, maybe just a different sub-set).
Just my thoughts.
Re: "traditional security" vs. I.T. security (Score:5, Interesting)
no, there is quite a bit of liability involved in IT now. Not properly protecting salary and HR files can be a criminal offense to the company owners.. you have to do it. But you are correct, security is not really about "preventing" wrongdoing, because somebody that wants to get you will. On the other hand one part is to make enough noise that the honest people know you're watching and aren't lead astray. The other part is logging and auditing what's going on... just like a physical security guard, to know who belongs and who doesn't, then able to prove that in court if you need to.
Good security also keeps people from accidentally messing up your data, and that's the most common and disastrous thing that happens. To only give people the minimum they need, then when 2 months of TPS reports are missing you have a short list of who had access rather than entire departments, and find out the boss deleted them not "some hacker". You also keep unqualified people from screwing things up.
Re:Good times and Bad times in any job (Score:4, Interesting)
Keeping those pesky hackers at bay is not a job I'd want to do. I'm a fairly creative person.
Heck, keeping those pesky hackers at bay IS fun to me. I find that sometimes, ok most times you have to be creative to do this. The graet thing is that different people find different things fun and interesting.
-----
Right click here to download sig file
Re:Actuary (Score:5, Interesting)
Or insurance claims denier.
"I'm sorry ma'am, but we can't cover your little girl's ambulance ride. You should've taken the bus."
I knew someone who did that and after a few "yay, you're not dead, welcome to financial ruin" type calls, he had to quit.
As a former policeman (was Re:Oy vay) (Score:2, Interesting)
Let me say that yes, none of the OP's reaction is new. However you're wrong when you say that you can simply "punch out", at least in policing.
The constant search for threats and hypervigilance have a psychological effect that carries over into your private life. After 10 or 12 hours on duty in this heightened state often the last thing you want to do when you get home is engage another person. It's hard on personal relationships, especially when your close relations don't understand the psychological mechanisms taking place. Children seldom understand why all mom or dad wants to do when he/she gets home is sit in front of the TV or just be alone for a while.
Now, IT security is a little different. But not that much. In policing you constantly deal with the 5% of the population (and it's usually the same people over and over again) all of whom are intent on harming you or someone else. You're conditioned to be wary and you can't trust people if you want to remain safe. This mistrust spills over into your dealings with the 95% of the population who are decent, earning you a reputation as an asshole. It's hard not to become cynical and view everyone around you as a waste of skin. All of this has an effect on your self image if you're not able to separate your "self" from the job you're hired to do. Not everyone is cut out for this sort of thing, and perhaps the OP isn't...
To the OP: Consider that while you may be good at your job your talents are also applicable to other fields and that perhaps IT security isn't for you. There's no shame in recognizing this and moving on. At the end of the day the people who care for you are more important than your job, and you're shortchanging them by bringing your work home in increased pessimism, cynicism and depression.
Re:Short Answer (Score:4, Interesting)
In IT security, people just want to download cool screen savers. Most simply don't see the risk. As such, the job of an IT security professional is much more difficult (e.g. - "why can't my password just be the name of my dog?").
That is exactly why most people don't like IT security. The true answer is that their password _can_ be the name of their dog, for 95% of users, because they won't have access to sensitive information by default. To access that sensitive info, they should have to jump through security hoops, use secure passwords, etc, but not to unlock their workstation after refilling their coffee.
There's an old saying, that I can't remember exactly, that says if you use the same protection to safeguard your bread, as you do your money, then your money will be as insecure as your bread used to be. The reason is that nobody is going to run the vault combination every time they want a slice of bread, so the end result will be that the vault stays open, making your money insecure.
Re:Short Answer (Score:5, Interesting)
I'm not sure, but back in the days when I worked as a programmer making a poker game (before the craze broke out about online gaming) I was constantly feeling numb about the whole programming deal spending some of my days just surfing around feeling kinda worthless to the company and that in turn made me feel kinda worthless too in the long run.
About 7 years ago I started working in craft, with tile laying (bathrooms etc), and I never had a bad day. Sure some days are tough but when the day is done I always feel like I made a difference, and I'm not mentally exhausted when I get home, so I could for instance do some programming for fun or whatever.
It's not true for everyone of course, I know plenty of people that can handle it, but for me it seems like the more work I get done the better I feel. And with my job I can make other people happy, that kinda helps. With IT you are just making people less miserable.
Late night rand, gotta sleep :-) (.se)
Re:Security Drama Majors (Score:4, Interesting)
So what does "IA" stand for?
It stands for "Information Assurance." It's what the Federal government calls IT security. And the OP was right - the Feds are in a world of their own with this stuff. Any time IT security can even possibly intersect with access to classified information, the paranoia level goes just off the charts.
Re:Oy vay (Score:4, Interesting)
As much as the crowd around here pretends like it's a farce, I turn to faith to provide my much needed avenue away from cynicism and pessimism. So how does it help me?
So for everyone who says that religion is a crutch, I treat my faith like a scaffold, lifting me up, and giving me the support necessary to paint my life in a way that will please my Father.
Oh, and yes, I still have to fight worry (job security), gossip, and being someone no one likes to hang out with outside of work. I'm not that different from you.
Re:I'd reply but I'm worried someone will be watch (Score:5, Interesting)
Security nut for local network speaking. Since Security is the antithesis of Usability, you are not popular for doing your job. If you introduce a new security regime that makes things "hard" for people to do their jobs you are seen as a roadblock in the road of progress. If your security regime is not tight enough you are blamed for data leaks.
With this in mind, you need to derive your happiness from other places than peoples praise. I'd say the GPs post example is of a person who has learned to derive happiness from both family life and playing in a band.
I know I get happiness not from doing the security work, but from other sources that are funded by the security work. I can definitely corroborate the correlation with more anecdotal evidence of my own experience.
Now I must get back to writing more policy.
Approach it as a puzzle... (Score:4, Interesting)
Apart from that, it's a puzzle. Someone hands me a system or process, and it's my job to see if there's an unguarded way in (or out), a way to DOS the system, etc. Sometimes I don't find them before the real enemy does. It's a race, and it's a thrilling one.
Finally, I don't haughtily tell anyone anything. These are systems that (ideally) people have put their heart and soul into. You don't go up to someone and say their baby is ugly or deformed or broken. You point out that there may be a problem, and that you're a doctor - a specialist - and you're here to help.
The glue that binds testing together (Score:1, Interesting)
It's all of the inbetween conversations that help me.
Yes, I also do a lot of testing where I focus on demonstrating, as systematically and comprehensively as possible, that software, infrastructure, and components thereof are flawed, expose organisations to undue risk, and are otherwise bad and evil and nasty.
A lot of this sort of testing is inevitably tied into project lifecycles and operational readiness requirements where there's no dialogue and understanding between me, a security professional, and the professionals on the other side of the fence I engage with. Sometimes they're disinterested project managers, sometimes they're technical resources associated with a project which would really rather I not prove they're not operationally ready and prefer I not make them slip their deadlines.
Sometimes, I interface directly with security staff, or technical staff in an organisation who've been pushing to have $security input for some time. I really relish these engagements - the chance to actually talk to a customer, individually, face to face, and *really* find out what they want - and what's going wrong. Sometimes the conversations I have in these situations bear little or no resemblance to what's on the piece of paper detailing why I'm there. No matter - I'll still do the job. But over coffee, standing outside datacenter gates at 2am, whilst eating noodles at lunch, I chat with these people about what they're doing and how it can be done better.
Selfishly, these conversations are invaluble to me as a tester. I pick up more information regarding flaws, particularly those hard to find architectural ones much pentesting misses, from these conversations than from weeks of poring over build documents, change requests, and the output of tools and scripts.
That's just secondary to this point, though - really, I'm a roving, peripatetic know-it-all who loves to chat - and in those watercoolerconversations I have on most jobs I do, I have the opportunity to seek out and systematically eradicate boredom, stupidity, poor assumptions, and a whole range of other things. Some mine, some theirs.
That's why I really relish the job - it's just part of what makes being a consultant fun. Without that - doing the wrong kind of jobs, doing entirely remote work, just doing research.. well, there'd be other perks. But this one would be gone, and this one's been the biggest source of job satisfaction for me, recently.
Just my 2c. What's yours? :)
It drives the staff at our doctors crazy. (Score:5, Interesting)
Re:Correlation vs Causation (Score:4, Interesting)
Nope, much smaller, but I think we touched on some of the same projects.
I had a guest show up as I was finishing the last post and I cut it a little short. I was trying to say that I'm more satisfied working for myself because I work on what I believe in. Whether I can make a living at it in the long term remains to be seen, but I'm happier than I was at a comfortable desk job with a nice salary and vaguely defined work goals.
Smart and happy are a difficult combination. I wish I had more advice to give on the subject, but I'm grateful just to be reasonably content without medication. Most days, anyway.
IT Security == Depression? (Score:1, Interesting)
This article hits very close to home for me. You'll forgive me for posting as anonymous coward, but the following post is quite private and I'd rather it not appearing next to my name in Google searches.
I'm probably what you'd call an IT Security Professional. My job title is "network administrator", but I spend my day securing our network, reading security articles, finding new ways to protect my own data, as well as the organization I'm employed by. I tell you, when that cold-boot attack against whole-disk encryption came out, it scared me half to death. My workmates describe me as a "Security Nazi", which I think is in part why I was hired for this position.
Anyway, about 12 months ago, I was diagnosed with clinical depression. Whilst I don't think my 'IT security' based position was the consequence of it, I don't think it helped - which my physiologist and psychiatrist both seem to agree on.
To cut a long story short, my depression revolves around a fear that I'm going to lose all my friends - being left alone without anyone etc. Which would be bad.
It seems that my 'security-based-paranoia' comes into play a lot here. I always look at the worse-case-scenario in everything (hope for the best, plan for the worst). I always plan a response to an event. I analyse everything I say and do. That's what security professionals are supposed to do.
My problem is that mindset is being applied to my personal life. I see, plan and even expect worse-case-scenarios. I have an argument with a friend. I spend hours in my head working out what this could mean. Usually it ends up with me thinking "worse-case-scenario is I've just lost my best friend". It may have been a simple argument, but at least at the time, I don't see it that way.
Whilst these thoughts probably aren't that bad, being in my depressive type state, it continues down a path to which there is no end. "If, I've just lost this friend, it's only a matter of time before he/she talks to my other friends and I'll lose them too". Towards the end of that road, you get to "If I've lost all my friends, is there any point in living?" You can probably guess where things go from there, it's not pretty.
I very much like learning about security, so I am reluctant to walk away from it. Hell, I'm even good at it. In a way, perhaps too good.
I believe me being an IT security professional was just a coincidence to my depression, but now I'm here, it certainly hasn't helped.
Are we missing the obvious? (Score:2, Interesting)
Apparently there is (Score:5, Interesting)
Actually, there was this study linked on Slashdot a few years ago, where average happiness in IT was below that of, say, workers on garbage trucks. I'm too lazy to google it atm, though.
So apparently there _is_ at least some correlation.
There are plenty of personal anecdotes of people who were unhappy in IT jobs and got a lot happier when they resigned and did something else. I don't know if that's enough to "prove" a causation, but it at least makes one wonder.
Of course, it could also be that the people who are drawn to IT work are the ones who are totally unfit for that kind of a job, and who'll hate it. At least theoretically, it's a possibility.
On the other hand, it would be a first for any job.
On yet another hand, about half the people who end up in IT or programming jobs, loved working with a computer before choosing that career. In fact, that's why they chose it. A lot still love working with computers in their free time.
So whatever the cause and direction there is, at least it surely can't be that it draws people who hate computers.
At the very least, something is wrong there either way that causation goes. In the end, regardless of which way it goes, if you're unhappy with a job, you're just unhappy and that's that.
I have to wonder how much you can keep those attitudes separate.
There was a study some time ago, where merely being asked to write an apology of a position contrary to your own, fully knowing that it's just a silly exercise and it's not even supposed to be taken seriously, after a while causes your actual position to shift towards what you wrote. E.g., if you're a Democrat and have to write an essay about how right Bush is, after a while you'll actually start seeing him in a somewhat better light.
It's called cognitive dissonance. The brain basically has a model dissonance with "I'm a honest person" and "I just wrote a lie", and basically resolves it by changing the latter to "well, it wasn't really a lie. Maybe at most a bit of an exaggeration."
So a mask you wear every day, eventually becomes _you_. If you pose as a Linux/BSD/Mac/Windows fanboy to fit a certain crowd even just for a couple of hours a week, eventually you become more and more of an actual fanboy. And if you have to put on a thoroughly unhappy face every day for 8 hours, eventually you _will_ convince yourself that you _are_ unhappy with your situation.
At any rate, you can't really keep two completely opposite mental models, unless maybe if you're schizophrenic. And those attitudes are based on your model, after all: being, say, a misanthrope is based on your model having a pretty bad opinion of your fellow humans. You can't really switch between "humans are evil idiots, and they should have stayed in the trees for another million years until they're ripe" and "humans are nice and friendly, and I enjoy their company" at the drop of a hat. Your brain is wired to keep _one_ big model of everything consistent, not to have several models and switch between them as needed. If it worked with several models, it would avoid cognitive dissonance very easily. In practice, it doesn't.
So any model changes that cause a different attitude at work, _will_ still be there in your model when you're at home or at the pub with your friends. You may build an artificial "us" group (as in, "us vs them") of people who ar
the secret to happiness is to find value in value (Score:4, Interesting)
I've been working in IT security for almost 13 years now - I started back in the days when were said, "what's a firewall and why do I need it?"
I largely work as an independent consultant, and I have worked in banking, defense, fed gov't and the live-like-a-rockstar-dot-com-days.
I have to say that my overall sense of fulfillment at work has been rather low. Spending a decade telling people 'no' or 'how to do it better' - especially when they don't really understand that you're trying to help them, or they don't understand that there are actual threats - is really frustrating.
Working on endless IT projects, for clueless management, unappreciative end users only to have the project canceled (don't 80% of all IT projects fail?) leaves me with no real sense of accomplishment and meaning.
To mitigate this, I joined the local volunteer fire dept. Nothing beats a day in the cube more than rolling down the road lights and sirens or actually bringing someone back to life.
pax
Re:Good or bad (Score:4, Interesting)
Completely true, and one of the big reasons that I believe that static passwords provide almost no security. I'd much rather see the use of stronger authentication methods, such as SecurID tokens or digital certificates, which really do improve security without the extreme pain caused to end-users by passwords that can be cracked in a few minutes anyway.
Here we get back into the whole "security is overhead until after compromize, and then they're scapegoats" mode. Both token and certificate-based authentication cost HUGE amounts of money. They require adding servers, more administrative work, and frequently more hardware on the workstation, so very few companies actually deploy them, despite the obvious benefits.